ramnit | be64cb0438360f73d84ae818dd10e42628b978a53a4948595eadfbfe9d871aeb

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

917387bb066306477f16d7a717250842_JaffaCakes118.html
Size

2.3MB
MD5

917387bb066306477f16d7a717250842
SHA1

b901063f0525ece14367f4e31b51bec1c02002c7
SHA256

be64cb0438360f73d84ae818dd10e42628b978a53a4948595eadfbfe9d871aeb
SHA512

0216dee86a5b87bb609c588b7ba62763c9cea376ae4fb858486d7fb7a649af05bef626473c951f6cceac139e591add9adee0c0374493e8fb7571416dda44e8c3
SSDEEP

24576:x+Wt9BJ+Wt9Bq+Wt9BP+Wt9Bo+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+Wv:i

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 28 IoCs

Processes:

svchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

pid	Process
2276	svchost.exe
2856	DesktopLayer.exe
1756	FP_AX_CAB_INSTALLER64.exe
1852	svchost.exe
564	svchost.exe
292	DesktopLayer.exe
1208	svchost.exe
1348	DesktopLayer.exe
2892	svchost.exe
1040	DesktopLayer.exe
1684	svchost.exe
2760	DesktopLayer.exe
3056	svchost.exe
664	DesktopLayer.exe
708	svchost.exe
2168	DesktopLayer.exe
3052	svchost.exe
3032	DesktopLayer.exe
1576	svchost.exe
1768	DesktopLayer.exe
1276	FP_AX_CAB_INSTALLER64.exe
2348	svchost.exe
1712	svchost.exe
2228	DesktopLayer.exe
2908	svchost.exe
1488	DesktopLayer.exe
2080	svchost.exe
728	DesktopLayer.exe

Loads dropped DLL 17 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid	Process
2948	IEXPLORE.EXE
2276	svchost.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000600000001878f-6.dat	upx
behavioral1/memory/2856-21-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2856-18-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2856-15-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2856-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2276-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/564-136-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/564-133-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2276-132-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1348-148-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1684-197-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/708-272-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2228-755-0x0000000077500000-0x00000000775FA000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB3F4.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBBEF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB50D.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBCCA.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB377.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB4AF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB693.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB387.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB5D7.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB625.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA0C2.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px63A3.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB57A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBBC1.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\SETB358.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETBB74.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETBB74.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETB358.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DesktopLayer.exeIEXPLORE.EXEDesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exeIEXPLORE.EXEIEXPLORE.EXEsvchost.exeFP_AX_CAB_INSTALLER64.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exeIEXPLORE.EXEsvchost.exeFP_AX_CAB_INSTALLER64.exesvchost.exeIEXPLORE.EXEDesktopLayer.exeDesktopLayer.exesvchost.exesvchost.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEsvchost.exesvchost.exeDesktopLayer.exeDesktopLayer.exesvchost.exeDesktopLayer.exeDesktopLayer.exesvchost.exeDesktopLayer.exeIEXPLORE.EXEDesktopLayer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e767b8043edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438568648"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000118575e5639c7b16ee1d7e99f95d510a86972f404ced82fe0e54fbccbf0e36dc000000000e8000000002000020000000649babbf957c4fb76ab9318100bd00026f4ba847de0b3c6796ff92ff369c37ec9000000016d35e41d46343dee913805e91a787094c73f4593a5eaa924340b9b75d036b7a9a1090ac7d511edf10f00f09805e658f5c60bf3e5e1da79529ff979a6dfe711d90dfd9dbc8c95990dbfad66ac86d9c388c054e4e0fda168bac718a1412a86e9ac1ea8a0c3645ae9d91b7995bbd3363c8fdc09e490357560919ea9cca482b16a2c2d4e639ea11edea044246f4677e796240000000d0ab45253421908c9158fb18e77179836e51f4767cb02963790bfb396ee0cf843925b4886366694116d91a7a20384ae6e4d4178e4b31b8b74333429c76b9b9d3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000c5fd0d2d653f5069feabb0d0481cd64ee6849147ff2485adb09a12c9f45934d0000000000e80000000020000200000006933d2b8ad2516e824782be2fa571b6501723780e65612d40d7f2cda970a3c752000000095092af979160c682c0eabf3d8e6fdc9270bfd208923c33f81de94db9a28faad400000009821e873378bdee6d7288787e8dccee2bceb2bd65ce260fe5fa6e026e6f3a1ca797d79a7c7d47ba69c9dfc2fb17196ab1ddd57666dc6177c65c4b8cc9fa9b8a7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF01BEE1-A9F7-11EF-B9BB-7694D31B45CA} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

DesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exeDesktopLayer.exe

pid	Process
2856	DesktopLayer.exe
2856	DesktopLayer.exe
2856	DesktopLayer.exe
2856	DesktopLayer.exe
1756	FP_AX_CAB_INSTALLER64.exe
564	svchost.exe
564	svchost.exe
564	svchost.exe
564	svchost.exe
292	DesktopLayer.exe
292	DesktopLayer.exe
292	DesktopLayer.exe
292	DesktopLayer.exe
1348	DesktopLayer.exe
1348	DesktopLayer.exe
1348	DesktopLayer.exe
1348	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
2760	DesktopLayer.exe
2760	DesktopLayer.exe
2760	DesktopLayer.exe
2760	DesktopLayer.exe
664	DesktopLayer.exe
664	DesktopLayer.exe
664	DesktopLayer.exe
664	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
3032	DesktopLayer.exe
3032	DesktopLayer.exe
3032	DesktopLayer.exe
3032	DesktopLayer.exe
1768	DesktopLayer.exe
1768	DesktopLayer.exe
1768	DesktopLayer.exe
1768	DesktopLayer.exe
1276	FP_AX_CAB_INSTALLER64.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1488	DesktopLayer.exe
1488	DesktopLayer.exe
1488	DesktopLayer.exe
1488	DesktopLayer.exe
728	DesktopLayer.exe
728	DesktopLayer.exe
728	DesktopLayer.exe
728	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	Process
Token: SeRestorePrivilege	2948	IEXPLORE.EXE
Token: SeRestorePrivilege	2948	IEXPLORE.EXE
Token: SeRestorePrivilege	2948	IEXPLORE.EXE
Token: SeRestorePrivilege	2948	IEXPLORE.EXE
Token: SeRestorePrivilege	2948	IEXPLORE.EXE
Token: SeRestorePrivilege	2948	IEXPLORE.EXE
Token: SeRestorePrivilege	2948	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

iexplore.exe

pid	Process
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	Process
2096	iexplore.exe
2096	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exe

description	pid	Process	procid_target
PID 2096 wrote to memory of 2948	2096	iexplore.exe	30
PID 2096 wrote to memory of 2948	2096	iexplore.exe	30
PID 2096 wrote to memory of 2948	2096	iexplore.exe	30
PID 2096 wrote to memory of 2948	2096	iexplore.exe	30
PID 2948 wrote to memory of 2276	2948	IEXPLORE.EXE	31
PID 2948 wrote to memory of 2276	2948	IEXPLORE.EXE	31
PID 2948 wrote to memory of 2276	2948	IEXPLORE.EXE	31
PID 2948 wrote to memory of 2276	2948	IEXPLORE.EXE	31
PID 2276 wrote to memory of 2856	2276	svchost.exe	32
PID 2276 wrote to memory of 2856	2276	svchost.exe	32
PID 2276 wrote to memory of 2856	2276	svchost.exe	32
PID 2276 wrote to memory of 2856	2276	svchost.exe	32
PID 2856 wrote to memory of 2740	2856	DesktopLayer.exe	33
PID 2856 wrote to memory of 2740	2856	DesktopLayer.exe	33
PID 2856 wrote to memory of 2740	2856	DesktopLayer.exe	33
PID 2856 wrote to memory of 2740	2856	DesktopLayer.exe	33
PID 2096 wrote to memory of 2772	2096	iexplore.exe	34
PID 2096 wrote to memory of 2772	2096	iexplore.exe	34
PID 2096 wrote to memory of 2772	2096	iexplore.exe	34
PID 2096 wrote to memory of 2772	2096	iexplore.exe	34
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 2948 wrote to memory of 1756	2948	IEXPLORE.EXE	36
PID 1756 wrote to memory of 2956	1756	FP_AX_CAB_INSTALLER64.exe	37
PID 1756 wrote to memory of 2956	1756	FP_AX_CAB_INSTALLER64.exe	37
PID 1756 wrote to memory of 2956	1756	FP_AX_CAB_INSTALLER64.exe	37
PID 1756 wrote to memory of 2956	1756	FP_AX_CAB_INSTALLER64.exe	37
PID 2096 wrote to memory of 2708	2096	iexplore.exe	38
PID 2096 wrote to memory of 2708	2096	iexplore.exe	38
PID 2096 wrote to memory of 2708	2096	iexplore.exe	38
PID 2096 wrote to memory of 2708	2096	iexplore.exe	38
PID 2948 wrote to memory of 1852	2948	IEXPLORE.EXE	39
PID 2948 wrote to memory of 1852	2948	IEXPLORE.EXE	39
PID 2948 wrote to memory of 1852	2948	IEXPLORE.EXE	39
PID 2948 wrote to memory of 1852	2948	IEXPLORE.EXE	39
PID 1852 wrote to memory of 292	1852	svchost.exe	40
PID 1852 wrote to memory of 292	1852	svchost.exe	40
PID 1852 wrote to memory of 292	1852	svchost.exe	40
PID 1852 wrote to memory of 292	1852	svchost.exe	40
PID 2948 wrote to memory of 564	2948	IEXPLORE.EXE	41
PID 2948 wrote to memory of 564	2948	IEXPLORE.EXE	41
PID 2948 wrote to memory of 564	2948	IEXPLORE.EXE	41
PID 2948 wrote to memory of 564	2948	IEXPLORE.EXE	41
PID 564 wrote to memory of 1388	564	svchost.exe	42
PID 564 wrote to memory of 1388	564	svchost.exe	42
PID 564 wrote to memory of 1388	564	svchost.exe	42
PID 564 wrote to memory of 1388	564	svchost.exe	42
PID 292 wrote to memory of 1816	292	DesktopLayer.exe	43
PID 292 wrote to memory of 1816	292	DesktopLayer.exe	43
PID 292 wrote to memory of 1816	292	DesktopLayer.exe	43
PID 292 wrote to memory of 1816	292	DesktopLayer.exe	43
PID 2096 wrote to memory of 1548	2096	iexplore.exe	45
PID 2096 wrote to memory of 1548	2096	iexplore.exe	45
PID 2096 wrote to memory of 1548	2096	iexplore.exe	45
PID 2096 wrote to memory of 1548	2096	iexplore.exe	45
PID 2948 wrote to memory of 1208	2948	IEXPLORE.EXE	44
PID 2948 wrote to memory of 1208	2948	IEXPLORE.EXE	44
PID 2948 wrote to memory of 1208	2948	IEXPLORE.EXE	44
PID 2948 wrote to memory of 1208	2948	IEXPLORE.EXE	44
PID 1208 wrote to memory of 1348	1208	svchost.exe	46

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\917387bb066306477f16d7a717250842_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2740
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2956
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:292
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1816
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1388
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1348
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1776
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2892
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1040
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1604
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1684
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2760
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1804
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3056
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1476
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:708
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2168
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1440
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3052
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3032
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2496
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1576
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1768
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2208
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2348
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2228
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2872
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2992
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2908
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1488
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2888
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2080
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:728
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275464 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:406538 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:209943 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:799752 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:1258510 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:1848330 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1912
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:3814411 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:1848339 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:1520673 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:1820

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
85d1bf859f56f73a0684c705f87f730d

SHA1
d81aba0e1fbc5a4af4e9ea11e6b86ad3def0bd6a

SHA256
825abbfd0a8a4ad8ecbcbaa5ab56b6e9484dd034aa8bcdde6534dac41d81141f

SHA512
205bac5961f42189ac0b30cd1050ffc501d1db80cfb11273c4cf0be7d7c1d313c1daca9b78a437188ea049ee2f179c917cde39dee9a02d3bd9006b0040b3b650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61796f5a32361293431323a22aaa42f4

SHA1
ade66dd5409287028571ebcf0817b64fd8b6ff94

SHA256
b067ec68ff05f7d4cf743ad093729590173d876fe0d106949744d3236433f57a

SHA512
0bc2959b69b28f21fa16cb2c4fe47b42569dbd0bc5614de712af531b9a027ddaf0ae2a3777e4385b4e61be182163f1fa06adc57ac99581f920f668f9f00b217e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f08c78c16b4dac9a0226531e94511be8

SHA1
f36ebcfe5779831bdf63ee970eedb8290ba4bcad

SHA256
b1d44d546005f9447ce1d96ef68d20f0e8f669dfab752650554f115e5c98be73

SHA512
2782caadee19e855cd234e17c248860b526cfed62a42845f804e442f59e3179efd5ee73e9677117ee551a4aef7fb6489c1edf73d3eddfe65d1fc6436b954e429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a09f246a9ddf554e56b7f17baed7aeb

SHA1
1d4b4e23e6169ba1a931971d2cef56bb1e9cd901

SHA256
b0c130e66f0e9bd44f7a41600fc14a240511b5369db1a14db08783bd6d07ef1f

SHA512
c1ee5e7aa408290132d418f03e49744d90aae30ebd8cf7f0703073361985c3dd30b52d08fc56e12d0bad40b4fb82659f6fc7e4c8c4fae6d4dd803efd2915bc27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f213227a8d6e5b59b4ab16d550606a8

SHA1
0a17509e5b143207a45ee5377c75530b3b47d574

SHA256
dd68b8bfa5f6d6a4c51ddf328b79debbf4951a9c4918b88236c3420ae6d903d7

SHA512
ed32b8cc8b6b5e5e071fcec7dd131dc5d4cb3121f693ab66d277a7f2a661a610fe4801debf01b872d01f66a7e16ad94a2554512d8b28222deffc0d07b0de6f60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
974cdc1d0c7b6f664baef0e7343cd85f

SHA1
9054efe6f1573231b4ad3a9f905c35077588108f

SHA256
dc6668561aa268b7a979918574a498a97ffca054c3369165d3490895c07f3d31

SHA512
e525eef1e9d4e2774828348ee1346a6495b482b88c436b26911de59042b2481ec8410938962e60fa1e6944dac74218c24cfd87505a88dfc6fc0b5bf04f1b8c17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e4f44fe422598252601cc88d2300893

SHA1
18ecac07a75795e5f34550608e192a8aae0cbf60

SHA256
733ed5bdbbe527d4ee68e8ee9eaf924d7b1342e06eab3ef2eda71b730311323d

SHA512
8b2fc66b8d45ef40373871479ec3a0182ff79d2c82359221479c94a6e04f93be3ab3983ba6bbf0566f0ec837620d96c1b2ff9a7694ce4cba4991e20faa0622e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8da2bfd50ab40af6946f5ffc991740f4

SHA1
ea8e2382202bc4e018c01f8d69408ee91d87f20c

SHA256
aa3f22dc6596a715efe09d09d62c2816828bf5d5554bf104411199fe593c8e71

SHA512
43627b91ac8e08ef4ba3e9b26cee7f25756196c9782746c24da0654ea5b945f7783dfca440a719c9c66be55286d814802beef43ac4d3df0c4b74794387ecaf79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a15d954c1b2a750f42faf3b2d7e3dc2

SHA1
f8a4e4aa4a89755ffe7c2a237663373010a5a2e6

SHA256
932e9092162564d1c5e2443cec869f3ecdfc6b9cd50e37b1b1555d790648d42b

SHA512
a2409847a2946f9f153b08a6b8ecf978e6a6b702091715e31d8aa5c44359a5482616e3a23d2d5e0b96c6956547215b120b2172a090f59e89b2af1de46bff618e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e4e68cec874d7da20673696f054275

SHA1
f5eac329ce055ad1e578350526bde1e1a639f1e6

SHA256
269645387a8cf65a942bb1ff6d90e0b95db797251872ee0a7f008fe99154c90b

SHA512
b159da6921dd32a0546f2e45f28efbc583f7fad284824eb4b32afc485be663a7bd19be5e5a6e0a27752a9225ac801fb99303835f304276cb22b14bf7e95b56b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01ac30e0f264c15e94976c1ff6e139be

SHA1
8e1558c75777ae64fcbc34fee639611dd7fb3fe5

SHA256
ef0c5f158456b2b498f7f29b0d6630b7521ca15d4768699aa4640138b6198508

SHA512
5f970a888bac88b45ed794ee93bc75b021f1dae28272905244a0ff9f70ac6837e2a485a7d6257819e9c555c3f0a0b432a36ed51b8a9dae8448bf8f88877afc45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f1a47dc6082886cbbc816123beb11c3

SHA1
d2219c0eecf06a817afe439bd9951a87ed2e1d10

SHA256
65b5b488d9edd1ec416d991db12db0c5bd19511e10a3b4a4af2a4f99c2445023

SHA512
8f4f314f35f5994d40d55e5939b2ef7f6e575cb1b865192586f0477a6d817438239dd80ee3021ce9d0e261a2a6d7ceca855ac7bb3a08a56f40ca76a74aad3b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ed130b797f4b75a5557e2becd1a582f

SHA1
725ee19836bd85ddfd9d88467aa18b3e257d4ea7

SHA256
19c90bc9e7a36d6d822f61b9a3939452dd5865ee6210aefe8457be47a77ac17b

SHA512
bc1fe3fe5afd1026401ea33c2b05cbd28018a780fbd2df980e00cc777200545d8d4d88007e2a31f5019a3a2a1447ba10a41f36582b79138eab2d6966e9a75f4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3aee0e2bcd0cf6bf177e00a32bc2a4b0

SHA1
97b1ffbfbc2f57f2a0c80e644c8cca1561353454

SHA256
6a783235968d03010cfcf10ea4aa2e2bfe8d22f31d5a488ebd5fd448664e3622

SHA512
df6afbee6addebdce69521e8561a1b9757d492bbf7e60e043210e5bd6117b2f9d2fde8a7cfc9d916e876e1d662997044c3d464a2a3dc65c03b82a849e717cdd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1b69c35b6ae23d79340ebde95af9fde

SHA1
6ad9696fdc2b845d02a25fbbe9caad11ba0d3529

SHA256
3aa5867f0bf585a6c23e3cfbe0dfdf72a25ac6149fba03fada21d60480c744ad

SHA512
82df0640aabd85848a8e66a54617289574c75ca4c24e966738b54b0c0530554a8029558d984a3d8959aea9764c87d8d7970f0d773edc57e55e4034e38be308cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236948e9251813d7d519e48e9768d4c4

SHA1
daabaae545bb2d487a61918ceef303abde7b2017

SHA256
ab9e24fe998b25ba83a8cada3249dc069f4f1caa3639934442fb056c7635f1cb

SHA512
ae209586146162c2fc27584d862c2d31380d6151548fa21b2169712843ad178c94d61206e81574d3684a62efb6867a6f4cc40e47f97b3a8201a0879d44fab38a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
becd2feb81125a01faba9940fdb6498d

SHA1
e9e8cb7992e37d72ca6bfd3e5a6a848052fbbe04

SHA256
b1bbc19419b1bf3453b94492f8e337d5f77c03d9322264ad22e18ce4402fed82

SHA512
04225d6b37e835af4b640e4f2cd5f4179a3f9b23f6d1937c0f20ff9aaf2239e96df7912e72e57e3eaf75c900281fcd09e762a4fd33afeac3fd2bc88cdd09bb15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
880236eda0cb67c9ab84211237ed6248

SHA1
2611e5a7c1519a884fbfeb3d28b308aa067a5f5f

SHA256
3783370e000c524b6dfcd040537a3c25fcdbbd6fd6911d3c8ce073122ada6217

SHA512
922fd9af3a5348afe46b4903a8ba34cc29549a6cd85c92b233f647ebf5d1628f3393a0f606eb9e200d5223b7286d1dd050d231884aa577c23f7714593a569bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d5b0a17b1285a8fa1a20884a4051426

SHA1
f896e5ff054389c8f5df69224ad558b2e4a55899

SHA256
76959c78bd9ec2ca2244d337b50a75c89361c36316d1899dd70d25e8cdd17a22

SHA512
11ae454123b06a06b40d231ef67ba3f65f437c504987f855f2c57be09b468fde703ab0fd885c9a6e8d12cf181a523d28cd2adcbdb3ae2f0e734832551f65208b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
534363c9fdb0f1ecb5cdc60ec6441b7e

SHA1
a24c35e4c31f5e0d12a076ac06d9bc5677a7e8d9

SHA256
a53be4828a9b4deb33ec2e3e9e112c1587fe91a73a4c245fd7b332b27fcdafa1

SHA512
f903d205c507b90acf3aca77811df137cfd6b0334886a239dbd48f5bb09237ce0fe49d240108f1b97978c5e0fe47521d9136e090df20a799ac778bc80bc36607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efb22a1990506df2e6875164bd0247d8

SHA1
3fc62ab13ad6961d73e03e3a21265ea4a72efaa3

SHA256
ea0b4e9b3133e440df9c3d09ca793c6a660fcc11fabeaf21a993af511f5a61d0

SHA512
c31dff3454d54a7a9af890d9e7498be389221b3ca227a2edc19fbbac536e927481f19bdc0d637e7c9a51352f1ae34f8a1ee6df9f7742436dba5bc3138031dc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5421c8d8e1f049a05ab14fb031ffe9fc

SHA1
8c4e7b620b87ec098fe2d73b6849c283d05c0d89

SHA256
c2156cc4bb42d54431295e6ab64932a39193da8475ebdeb8705a61dd2803d7d3

SHA512
78a2bcf43727e4e5b3cf2bd02bc2bf6522d67f6c80ad3f2db7ae609bd7454576d98a1f403daf8a17c3ef70f572cf0ff89ae4e5a6905b6ed2996cfe0140df2925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dacb7d3addc69541ef4f3d27fa05968

SHA1
de76a70b68821bbeb6d2efa3c01e2d0b0a4d7791

SHA256
07f35003c9707f4b373620285dc217746f9154b35219fae470f1ad5f0040ba39

SHA512
65155e7f1cda606e734163af6ace630dfc913705d6fd6a4a3e3a1d0c6f2ecd020d50419b24795a70a23650da46f8ac5767e74a93b9e9738a0ceda10dde828205

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1e10d783bf6cfdb7197b9a71609ce08

SHA1
f1ab6b88a18d6b5f8f69732e331ce23621bda0da

SHA256
699e925b7d01525e7a8201226bf20204983695fa938ab05e2106ec83f09f25f3

SHA512
b42a6bbc2b2046ef0fae2ce36740bfdce12b72953936f7da27f6f03b030cf662833461d9aea4ddf45fcb7f6d47c507c7fd52c9e29dc07e43bb128b5470f09341

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ca607f7d44d8abf70fe56a0cebf3530

SHA1
248c6b43152ec59f1246ffaaee9cd12bdede6094

SHA256
07130a282721d78e9a07020d3857638d58e638a9c123b29c90b38779279cff52

SHA512
1a6db942d8199b1a664a0b4cc8748d49bee485d22a5da55af278b47c7e1a115dc9cd1410814ec1e528fea2e51d6d66a775924e1d3c5aa874cbefd3f1857bd60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1afab617169848d1eb173c65d35fcd13

SHA1
8ba9e1d5987f771051081505ce84824e9060427f

SHA256
7396d4283d556566d07d9e17d6e8f4690cb3ef345345248b1960148812e6498e

SHA512
2eab5ecf994bd9abda3b49e02906a9633477d20c5e634bdebf584da711db0fa01626cae35c23d26c2fad9688ae096292bcc36ca41b26b21bf0d330933aa4f926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE2C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAECB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
memory/564-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/564-134-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/564-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-193-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1348-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-751-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1768-334-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2228-755-0x0000000077500000-0x00000000775FA000-memory.dmp

Filesize
1000KB

Download
memory/2228-754-0x00000000773E0000-0x00000000774FF000-memory.dmp

Filesize
1.1MB

Download
memory/2276-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-12-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2856-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-17-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2856-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download