ramnit | d223d46f61a4901391bf1b2afe7f97de7568cd682a2aad7acd54a4a10dbb8564

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8349ad8542d7907f294d9d0aac8ce9e_JaffaCakes118.html
Size

456KB
MD5

c8349ad8542d7907f294d9d0aac8ce9e
SHA1

0765e6cfedbaa1b5a74bd494002686cf274dcfa0
SHA256

d223d46f61a4901391bf1b2afe7f97de7568cd682a2aad7acd54a4a10dbb8564
SHA512

32fb534d5d002b56ffb914e534b2e1a04a81609e5b885936aebae4561a237b3d896cf27cbf791d84259dbda55af8ec4323d0046c241984cd1b263a8a5b9abafb
SSDEEP

6144:SNBsMYod+X3oI+YzXsMYod+X3oI+YzsMYod+X3oI+YEsMYod+X3oI+YQ:0N5d+X3N75d+X3N5d+X3g5d+X3+

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
2348	svchost.exe
2804	svchost.exe
2844	DesktopLayer.exe
2252	svchost.exe
2696	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2348	svchost.exe
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018736-2.dat	upx
behavioral1/memory/2348-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2844-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2348-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2348-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2844-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2804-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB1C2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB1D2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB184.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB1A3.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000d76395fcbbb82852f3b641d6ce7079c73dd9f538622c8a5f82d6efbbf686ebc6000000000e800000000200002000000086f1a6d40b1836038ad09fb2cdbcb5c2075e75d885e05c4e36b541edef9427e7900000007e5c6ec74a9d493c897e8ba45d92cafe7ab619e04395f8402cf95219545d8e481e6f0c7d924a1346137004c01c27720cfeaaff97f9cb51c5a5c460a36f1150f39ce4ab5224516b4ed41f0f4efde99f65ce2990d9a1ce4a1bb681cd235458bf96d30cefc5f108daff512cfb60184dbdc46a19beef0572a7f9cd81cf2f9a4dceda5d235f5295825cdb5eab8f0903386d16400000000751453087de48f09d00bd367f02dd1ba2009c43356fe6f0c9c3b8f9a33122cad58f3648e92c53239f5c2557451a110b1f0ba0d51151083590751289ef53f85b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA0CD741-65BC-11EF-93D0-F6C828CC4EA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000ea12536e28d9b3ff39f8f0423d7f3357cef3c304efbdfc11b026db4ca598da89000000000e8000000002000020000000f8fdfa3ab4fc702ffeabe62c9aa9721142c24e989c865b8aa7a4873cefb2c694200000000903f275a4212e9f3750a99021828bc4d3353390543cd9e715fb394f56597f1f40000000ff3f19cf7baf429a2428825e6942beb44d7dd9bb24748db683241bbc19d8f049679473deda26d0d9ea4b73f535a067b95d29648e3b5fa9981d3a9ccf7f2c1b03	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105bcb7ec9f9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431066512"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2844	DesktopLayer.exe
2844	DesktopLayer.exe
2844	DesktopLayer.exe
2844	DesktopLayer.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2516	iexplore.exe
2516	iexplore.exe
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2972	2516	iexplore.exe	30
PID 2516 wrote to memory of 2972	2516	iexplore.exe	30
PID 2516 wrote to memory of 2972	2516	iexplore.exe	30
PID 2516 wrote to memory of 2972	2516	iexplore.exe	30
PID 2972 wrote to memory of 2348	2972	IEXPLORE.EXE	31
PID 2972 wrote to memory of 2348	2972	IEXPLORE.EXE	31
PID 2972 wrote to memory of 2348	2972	IEXPLORE.EXE	31
PID 2972 wrote to memory of 2348	2972	IEXPLORE.EXE	31
PID 2348 wrote to memory of 2844	2348	svchost.exe	33
PID 2348 wrote to memory of 2844	2348	svchost.exe	33
PID 2348 wrote to memory of 2844	2348	svchost.exe	33
PID 2348 wrote to memory of 2844	2348	svchost.exe	33
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	32
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	32
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	32
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	32
PID 2844 wrote to memory of 2712	2844	DesktopLayer.exe	34
PID 2844 wrote to memory of 2712	2844	DesktopLayer.exe	34
PID 2844 wrote to memory of 2712	2844	DesktopLayer.exe	34
PID 2844 wrote to memory of 2712	2844	DesktopLayer.exe	34
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2696	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 2696	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 2696	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 2696	2972	IEXPLORE.EXE	36
PID 2804 wrote to memory of 2616	2804	svchost.exe	37
PID 2804 wrote to memory of 2616	2804	svchost.exe	37
PID 2804 wrote to memory of 2616	2804	svchost.exe	37
PID 2804 wrote to memory of 2616	2804	svchost.exe	37
PID 2252 wrote to memory of 3052	2252	svchost.exe	38
PID 2252 wrote to memory of 3052	2252	svchost.exe	38
PID 2252 wrote to memory of 3052	2252	svchost.exe	38
PID 2252 wrote to memory of 3052	2252	svchost.exe	38
PID 2696 wrote to memory of 2852	2696	svchost.exe	39
PID 2696 wrote to memory of 2852	2696	svchost.exe	39
PID 2696 wrote to memory of 2852	2696	svchost.exe	39
PID 2696 wrote to memory of 2852	2696	svchost.exe	39
PID 2516 wrote to memory of 2624	2516	iexplore.exe	40
PID 2516 wrote to memory of 2624	2516	iexplore.exe	40
PID 2516 wrote to memory of 2624	2516	iexplore.exe	40
PID 2516 wrote to memory of 2624	2516	iexplore.exe	40
PID 2516 wrote to memory of 3000	2516	iexplore.exe	41
PID 2516 wrote to memory of 3000	2516	iexplore.exe	41
PID 2516 wrote to memory of 3000	2516	iexplore.exe	41
PID 2516 wrote to memory of 3000	2516	iexplore.exe	41
PID 2516 wrote to memory of 2660	2516	iexplore.exe	42
PID 2516 wrote to memory of 2660	2516	iexplore.exe	42
PID 2516 wrote to memory of 2660	2516	iexplore.exe	42
PID 2516 wrote to memory of 2660	2516	iexplore.exe	42

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\c8349ad8542d7907f294d9d0aac8ce9e_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2712
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2616
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2852
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:209930 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:799747 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:930819 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
189e6db9398da5bcc669d33d115910bb

SHA1
301f8cdd2e00a585319cb9eb5f0ec1d90f1ba1d5

SHA256
7168d70e84f576f9229709cd6524694402c54c5480e9df6c84019279ead1ab88

SHA512
288e159f9f5d7184fc65abff295490e116b32a0a0f5ea60e245f712793f290141fa389fae2008a77ac2e7f397cbf631c8da9ffcd9d583f53a6108ba919b82760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa7b15d3baa192fb98232dcdfe1cc86f

SHA1
0ab4a22f65689285f565b5cbd8f06cdf7da05b64

SHA256
69ead85325dd9e21243261e435a688f88c5048522134ce48b0ac1a3b5a6029bb

SHA512
74785926dc0ae0bd75e6dfede7e2dcafdcb7e21282bd77e7c3f471e4cc1c107249246ba24675029f7f6e70de5d55cf1f38c7119cc2de6ee2b38a46c6e867f807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4b8150b7c9bd8ae71f7df4fc956f4b9

SHA1
d7a0b044d1269b9b5e89e13da68feb0e53dbcbd4

SHA256
5f22c3c410e3bc9aa998dcfceb229ee8c1d2f9dcf9917911f9fb5a09bb26454a

SHA512
a32b9b9661e6b543c2fe3e4540b63d6662fd3a06417a8c8d624683e8a736ba63cf422071e496780febb17ba31aa990081cd86c8fb45b13791622a54c9a0f0db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60074c4f33db5dfe3db3cdb256aba810

SHA1
f36f08681344b8be1f8875ee5db71cf1d3975c55

SHA256
9aefdb3028c7c6fec89b8e6ecb7b109a3aa89a2ad8290083a930e2bd61cc652f

SHA512
23ebd78558f382b5b5e04fe811f530c4ef75488ddc5f236de97133efa8ad3ed3722e004281833394c944b1fef0d01d6024b75ccc13a4173f98902dc7ec07c04b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bd77a9069528008bcdd22af99ceebd2

SHA1
829e19a56328e210bd5414c5e16a04fc416a57c6

SHA256
4f5add34d01283cdacb2fa5781764ba54bceb618cb4f6bbb8cb78738811a1ab5

SHA512
1b13a4be88bafb5fae03ed9d7b262635543c0cbfa088b26f54ae4dab3ea9aa72cd0eefce25f0f67e0e330a3f1fc72b32018e82de543e3c40c18a1909d0c61ff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f03639bdcc8b240fecd7a854378af17

SHA1
03970246c8c2d61b6ddf9ce23b2e636053f11989

SHA256
6e4a2735fc8ee2386899e47de6ec514ca1141c8f3831ee9659bd924f99c49b54

SHA512
050647f75fab492cb576ffab7159a7368dbb28574a58b5c618f29a2c31933ad7064ff4f585b7761e537f5460afb44f2f96e6f4d760dc26899016092dac471679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb35c0eeb0a0e6e9ebb0fa1f5912613e

SHA1
23092d7b710a51e0d1a09fc5e219430b98edc795

SHA256
fb395cbd5fb4047291874145f62b9be9a1944e95b20f76b2cc47773c2d92c106

SHA512
b5faf451f1393e21d9520b31e571ad9f85a1085d03f197f9792cdaf90490af055fd9b44fc043aa045a101d4e54d4321fd53d5e766787b906289cda5524bc5851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24920a9b168d3f63422b2ae604944e42

SHA1
88a11e64362284e4604b71d0261e58ca3cebd1bb

SHA256
ed14b4821135944c072d9eeeaa39d8d88fc335b1ee52abd19bfa7ba4137cba8a

SHA512
41e036172643f96f94311328c749217bc967c3ac8acf8acf60bd0aa69504427395e5f42c49637bed9cb0b043df2b95edb80e4d3ec4edbaf2210fc9b9493de7db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acb11692d1a75419b326f16d11388d73

SHA1
15bc1dbe75b6144f9a7863278739cb400b54999f

SHA256
01ab00ad0455c3bd14aab21f4d33199b9395dc780cbad78fdda2f37b456681c7

SHA512
f344dd0959d8c445c755de187783631fdb6fa8d376d36584c06395550218bde4afeb15a9963fbf02e8867c7e66a0a04b8aa593d50063bfa191b1964cca65ac40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df6f0f013c50a46291287adcd66a0fa5

SHA1
c5852df6333b27b1c4ca85b6c553f38cfd17af6f

SHA256
2501e3cecca3863ccb7c784f07c6e4280bcdebe4e6690af72eed0afac773ecaa

SHA512
12258069ca5321ab809859a76c627ac3205aedb1ed42d725ef4a7383aed8780a33c05357cdcd79eb4063c90288a48c6361f211310ac69554a884120edb1ebf1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c86de03b11992c2755020910f1b109f8

SHA1
5577a460aa11b9480f3aba21165e9561006353a3

SHA256
9615effc52577532a7575cc8ef98ce3ed3b726b200139384167eaf5ede94ae55

SHA512
633e01972c4ba48a8dc726a214a3d4fac7c229b7ffef7a46f31f80eff7742e97c2bbf4689d41be9cac3b8c3cd57524565bbaa854c9074a882bf02c9a00041b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
158c500e4d9d16776e9567193bd75c36

SHA1
e6e1ba67819ad8a0247145dfd33b664a113ae790

SHA256
3647fd9c999eb58efdde85f9e815811340b6ed1824e727d2e4d8d308c774f319

SHA512
a5ba06d8e5fdb375c0a64cf8d79653f1eb2a58c912fe1c4e79236a8a576c9f61b38cb7da70e80a9607287686d8f79c288b64068963ddf5e99693f0e3a9097c5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68a8c2e5bf49529236d91c3ad7b1a463

SHA1
6ddaf03f15d44d8a692be121f316e701445f91bc

SHA256
8fb6afd58c3aec312856c8127eba5adf61495984c22e79ea0a85701450dd68ba

SHA512
2691cec6704258927b6a81adaf7bf95a288010f10f794877d1d0bcfaed230e2fa5adab84645d1d051b1846af116ae3a81fadf02adf56c7a701307df79d180670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
944949efa0e47dea2efe28dfef8d8464

SHA1
eb2653a943fd4119a11d373b0922eb8a4d91c8e7

SHA256
9cba3b12834af09cc448b91592403d41e71fe9f443df10fcfda904ba6f62ba35

SHA512
b55493ec5e0320b37eaf98570622ef9d346e8c248b4dbdf1e3c43fb084d79ea9dc843f114916fcd49b6d118efad0976660cdcff7fb3fdaf917b6f88ab5d17b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dc9f5ac0034c6742ab061d4b07c1fa5

SHA1
8cab1e46ede4cc5bb6bcf424c41cb2e52bfb1368

SHA256
ceb29842832d10f80e6ae772cd2ed242e00bd7ab2b7a6c52fc4e5e57674b058f

SHA512
3e75444bbc42cf1cd428029482f0eeaf0e30bacdd25fa31c80eef75f2e5b9904f83d0062981e55d29e1938a5322c7e90990f0004460e9f56ed069b03452871a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9b50b7bf7b4680d88fe05c1ef0440b6

SHA1
0730bc5b502e4c3e567b11f0a6f3a71a05abb4e5

SHA256
d332010424cfcbe672d8f0d1ae775faa3a8967cb2f7e61ff6d9176ed79590ef7

SHA512
28c175539401eb1f222f30733737cf37e4987edffb3ed3c9620180e7f4154a28ae54561a36a41022fd6711275925e5c529d4c388991607446d8d470087026e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfbceabd66ae6bbb1f204ee20988b9ef

SHA1
25f80f52e7f9c71c9acd435944853e3e88dd87ab

SHA256
36ac1d2594e783a6f14cc014a95a9c19291248229a8ebe74009c53e07f4f2b92

SHA512
6f91fe014ca214102e230907661c121edc0cfc58f9c51be0a2bb1868f6240c26efa3eb99b2a7df6913dbc5d5b64304dffbff71e33bfb00ee054e594a7aaa795a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
159a483a1ecb18fd9da5d4cbbd6f24b0

SHA1
e0ae4fbe736fb258a77f1a109f185a59faa1a2ec

SHA256
e5cdf736c76331e0baad35a033f9193fa784991f2ea27b6db5158dd4b652a54e

SHA512
328e9c65db727a766a14d4b0d02dd455cb8f79777ddaf93b396095123b71cc43e20351d04aea51b5ac17a737ae40469fe232d2b76be49cb6e521af27dacf2f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aea4b63e5fd9f6c03b4128d3cebf03eb

SHA1
53e1bb1a617d8df96a05f5047f0ee1d6476490d9

SHA256
1f38761cbdd9c737a874071810eb0f73857e2494926218044423bd9a5e740e69

SHA512
fad19a324db3645d78e17f79c58493a132d3a57e8632fe65792ef4dbb1c2a2953b4cba82f06cca94cc38d510c79675f7d216cc5011be16b0dc64e047240073ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD30A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD761.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2348-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2348-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2348-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2348-7-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/2804-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2844-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2844-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2844-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download