ramnit | a42f7b56b4c6bf449c8a4f4702f246e5c006aeea4dd691ae7a61f181e0701485

Analysis

max time kernel
121s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ac22ca0c9d8b191495bebb8f1a9211_JaffaCakes118.html
Size

2.3MB
MD5

e2ac22ca0c9d8b191495bebb8f1a9211
SHA1

0f0a7d909c90170b9494e5832e1f457f77d3774e
SHA256

a42f7b56b4c6bf449c8a4f4702f246e5c006aeea4dd691ae7a61f181e0701485
SHA512

63b721d0a9db4b79582c1669db3f6411e6f29f9bba542a863d31ed4b841d08555b9484ad0a077cf261600eda961c21b9c9303505223d4ae7d9c315100b8c0f31
SSDEEP

24576:W+Wt9BJ+Wt9Bq+Wt9BU+Wt9Bj+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+W2:Q

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 26 IoCs

pid	Process
2776	svchost.exe
2956	DesktopLayer.exe
1908	FP_AX_CAB_INSTALLER64.exe
1804	svchost.exe
1184	svchost.exe
2400	DesktopLayer.exe
1524	svchost.exe
1212	DesktopLayer.exe
2372	svchost.exe
1188	DesktopLayer.exe
1720	svchost.exe
2940	DesktopLayer.exe
2996	svchost.exe
2140	svchost.exe
2052	svchost.exe
1740	DesktopLayer.exe
2800	svchost.exe
3068	DesktopLayer.exe
2488	FP_AX_CAB_INSTALLER64.exe
1464	svchost.exe
972	svchost.exe
968	DesktopLayer.exe
2580	svchost.exe
2416	DesktopLayer.exe
824	svchost.exe
2072	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
2440	IEXPLORE.EXE
2776	svchost.exe
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016ce0-2.dat	upx
behavioral1/memory/2776-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2776-9-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2956-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2956-17-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1184-137-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1212-148-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1720-166-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2940-173-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1464-373-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE14.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEC0.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px164E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px85A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px992.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px15C2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px16DB.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBF88.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDA7.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px86A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDB7.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEE07.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA4D.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC6F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET1546.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET1546.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET7FC.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET7FC.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440162272"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{604F53F1-B876-11EF-98B1-E20EBDDD16B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2083fe2e834cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000006e7b2694e7ffa5cad576da1fd35695eb3b2880872eb9d88ea7d54adb0a445582000000000e800000000200002000000056f0b139b2655444239cd3ea7345b8cfe5e8b49a72a52d736c7f073f604e346220000000a3017278b7399346f5c42d9325617c0ed2fae4da25a4138cf538540794fb0cbd40000000b77fc718d3dc924483bfb72ce1a48ac10ed365a71696659a5d174dc253ce9670213906fe4d11893c62bdf9edcea1058db5a6f07e67c99b309a6e4df8e2b4cf58	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000093ffd55f527ee726275b53e3c1e9003cf72d374a73a60015b66c4e74dde1bc5b000000000e800000000200002000000082cc6daf60697b6d44f4d2d4ffc52f0e9fcf25b0494eb7ffcbb096f78928176c900000000389e84a739afef681062a678c87bbae1d3c21fa38836e644d67d5328df35e16e65ee6f4c4582ede5e91f0ec2f48d359518cde0de0e6b35fe0d3c9202d6139048778cd1b5cf49c1447ce83cc925fe863d35216c0657c6f95aabfd8067c942f3e9bd84f6b35d3e87aa24df38d0edf8e7150f8591b35156644e1db45cc9e5ca57d0ffca9a396daf5b3fb88d668d7f6183740000000fd60af78311ffe3db569cf8eda2b818b7cf9f1eb2ce43699702c75f8d45bc4adfc273ca39fc2433e254f3c7c64b3273ec968f4f5fb708f3cc20a47db5197493b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2956	DesktopLayer.exe
2956	DesktopLayer.exe
2956	DesktopLayer.exe
2956	DesktopLayer.exe
1908	FP_AX_CAB_INSTALLER64.exe
1184	svchost.exe
1184	svchost.exe
1184	svchost.exe
1184	svchost.exe
2400	DesktopLayer.exe
2400	DesktopLayer.exe
2400	DesktopLayer.exe
2400	DesktopLayer.exe
1212	DesktopLayer.exe
1212	DesktopLayer.exe
1212	DesktopLayer.exe
1212	DesktopLayer.exe
1188	DesktopLayer.exe
1188	DesktopLayer.exe
1188	DesktopLayer.exe
1188	DesktopLayer.exe
2940	DesktopLayer.exe
2940	DesktopLayer.exe
2940	DesktopLayer.exe
2940	DesktopLayer.exe
2052	svchost.exe
2052	svchost.exe
2140	svchost.exe
2052	svchost.exe
2052	svchost.exe
2140	svchost.exe
2140	svchost.exe
2140	svchost.exe
1740	DesktopLayer.exe
1740	DesktopLayer.exe
1740	DesktopLayer.exe
1740	DesktopLayer.exe
3068	DesktopLayer.exe
3068	DesktopLayer.exe
3068	DesktopLayer.exe
3068	DesktopLayer.exe
2488	FP_AX_CAB_INSTALLER64.exe
968	DesktopLayer.exe
972	svchost.exe
968	DesktopLayer.exe
972	svchost.exe
972	svchost.exe
968	DesktopLayer.exe
972	svchost.exe
968	DesktopLayer.exe
2416	DesktopLayer.exe
2416	DesktopLayer.exe
2416	DesktopLayer.exe
2416	DesktopLayer.exe
2072	DesktopLayer.exe
2072	DesktopLayer.exe
2072	DesktopLayer.exe
2072	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2440	IEXPLORE.EXE
Token: SeRestorePrivilege	2440	IEXPLORE.EXE
Token: SeRestorePrivilege	2440	IEXPLORE.EXE
Token: SeRestorePrivilege	2440	IEXPLORE.EXE
Token: SeRestorePrivilege	2440	IEXPLORE.EXE
Token: SeRestorePrivilege	2440	IEXPLORE.EXE
Token: SeRestorePrivilege	2440	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2340	iexplore.exe
2340	iexplore.exe
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
2340	iexplore.exe
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2440	2340	iexplore.exe	31
PID 2340 wrote to memory of 2440	2340	iexplore.exe	31
PID 2340 wrote to memory of 2440	2340	iexplore.exe	31
PID 2340 wrote to memory of 2440	2340	iexplore.exe	31
PID 2440 wrote to memory of 2776	2440	IEXPLORE.EXE	32
PID 2440 wrote to memory of 2776	2440	IEXPLORE.EXE	32
PID 2440 wrote to memory of 2776	2440	IEXPLORE.EXE	32
PID 2440 wrote to memory of 2776	2440	IEXPLORE.EXE	32
PID 2776 wrote to memory of 2956	2776	svchost.exe	33
PID 2776 wrote to memory of 2956	2776	svchost.exe	33
PID 2776 wrote to memory of 2956	2776	svchost.exe	33
PID 2776 wrote to memory of 2956	2776	svchost.exe	33
PID 2956 wrote to memory of 2380	2956	DesktopLayer.exe	34
PID 2956 wrote to memory of 2380	2956	DesktopLayer.exe	34
PID 2956 wrote to memory of 2380	2956	DesktopLayer.exe	34
PID 2956 wrote to memory of 2380	2956	DesktopLayer.exe	34
PID 2340 wrote to memory of 1904	2340	iexplore.exe	35
PID 2340 wrote to memory of 1904	2340	iexplore.exe	35
PID 2340 wrote to memory of 1904	2340	iexplore.exe	35
PID 2340 wrote to memory of 1904	2340	iexplore.exe	35
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 2440 wrote to memory of 1908	2440	IEXPLORE.EXE	37
PID 1908 wrote to memory of 1076	1908	FP_AX_CAB_INSTALLER64.exe	38
PID 1908 wrote to memory of 1076	1908	FP_AX_CAB_INSTALLER64.exe	38
PID 1908 wrote to memory of 1076	1908	FP_AX_CAB_INSTALLER64.exe	38
PID 1908 wrote to memory of 1076	1908	FP_AX_CAB_INSTALLER64.exe	38
PID 2340 wrote to memory of 1348	2340	iexplore.exe	39
PID 2340 wrote to memory of 1348	2340	iexplore.exe	39
PID 2340 wrote to memory of 1348	2340	iexplore.exe	39
PID 2340 wrote to memory of 1348	2340	iexplore.exe	39
PID 2440 wrote to memory of 1804	2440	IEXPLORE.EXE	40
PID 2440 wrote to memory of 1804	2440	IEXPLORE.EXE	40
PID 2440 wrote to memory of 1804	2440	IEXPLORE.EXE	40
PID 2440 wrote to memory of 1804	2440	IEXPLORE.EXE	40
PID 2440 wrote to memory of 1184	2440	IEXPLORE.EXE	41
PID 2440 wrote to memory of 1184	2440	IEXPLORE.EXE	41
PID 2440 wrote to memory of 1184	2440	IEXPLORE.EXE	41
PID 2440 wrote to memory of 1184	2440	IEXPLORE.EXE	41
PID 1804 wrote to memory of 2400	1804	svchost.exe	42
PID 1804 wrote to memory of 2400	1804	svchost.exe	42
PID 1804 wrote to memory of 2400	1804	svchost.exe	42
PID 1804 wrote to memory of 2400	1804	svchost.exe	42
PID 1184 wrote to memory of 1716	1184	svchost.exe	43
PID 1184 wrote to memory of 1716	1184	svchost.exe	43
PID 1184 wrote to memory of 1716	1184	svchost.exe	43
PID 1184 wrote to memory of 1716	1184	svchost.exe	43
PID 2400 wrote to memory of 2856	2400	DesktopLayer.exe	44
PID 2400 wrote to memory of 2856	2400	DesktopLayer.exe	44
PID 2400 wrote to memory of 2856	2400	DesktopLayer.exe	44
PID 2400 wrote to memory of 2856	2400	DesktopLayer.exe	44
PID 2340 wrote to memory of 1788	2340	iexplore.exe	45
PID 2340 wrote to memory of 1788	2340	iexplore.exe	45
PID 2340 wrote to memory of 1788	2340	iexplore.exe	45
PID 2340 wrote to memory of 1788	2340	iexplore.exe	45
PID 2340 wrote to memory of 2308	2340	iexplore.exe	46
PID 2340 wrote to memory of 2308	2340	iexplore.exe	46
PID 2340 wrote to memory of 2308	2340	iexplore.exe	46
PID 2340 wrote to memory of 2308	2340	iexplore.exe	46
PID 2440 wrote to memory of 1524	2440	IEXPLORE.EXE	47

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\e2ac22ca0c9d8b191495bebb8f1a9211_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2380
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2856
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1212
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2072
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2372
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1188
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2408
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1720
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2736
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2996
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1740
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2992
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2800
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3068
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2424
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2488
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1464
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:968
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3068
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2504
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2580
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2416
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2452
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:824
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2072
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2524
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:209930 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:209935 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1348
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:209939 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1788
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:799749 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:2962441 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:18691073 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1288
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:11219970 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:799766 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1524
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:2831381 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
4b63d192be5855d51944c41c47146dc7

SHA1
d038e0c60af6471443d7effbf576ec46ed40d70e

SHA256
ed1a3df36dab7663b1240011626fa243acecfd512b9f9b9d20622cd68b48a8af

SHA512
d8a00a092f894e2eb240d870a95c10a63ba1098690af648896e14ddeb5cf389b74771ebf543ee4b8ffc3a96e69625cf3a602049b91a698d49b54a0515ca29a00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d5ed36b1184ef457f455b4706fb6deb

SHA1
50ef2452159ea93d9fd1dab220d22b1dd99ff26e

SHA256
3b7831b6222c0a93e0a53462edb151baf0e2c9973cdce18c3793beebd4b33a86

SHA512
2d0c5a0af83eadad6a9fda1591f79f1cea255316c7786baf3a2993399053fd3393dc64ee7f876ca41c6933cf1df002a31fd7fa2dda211291ed62ce974a301c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90a7eb19ae096b20206aba13a0b6d3e9

SHA1
6616b1826b837d99b4de96c926f756a9bbdde80a

SHA256
54a85b06b6c46ef36deb46deeece435793c21bfaa74d64506890eb6beba7908d

SHA512
9128eb6d4586902c68d09c2c692e7ac0949a9b63759a1b6ff41041b2ff6535d4896b46237056d29b6765e3684a944765510d7fdf9cc3fbc7d754c260a2fb8a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa04876228320936fd7bf66ae6cfe54b

SHA1
f4986a6ec803344a2a8d17bee9a13a7f0baca6d6

SHA256
d5bcc685b169e10ac584d1ede68128cf82767787c778ca607b4c5e593c93e975

SHA512
45dec02ace754080fcbc7a8eaa360076cad1d676ab771fc4b317ab4d093d35a34b28c49606eaaf7bb6eee30cd857ff6aeecf2b388805f10a0962201f9afc7fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00e9008eb47783502e3bd87f5482dbc4

SHA1
8c40d40869e7df22aebc88ddff4d1db64eccd37e

SHA256
1a6e61978c147733cd220ce37233a7901c3e687f85f8a8608df3d2448c39c23c

SHA512
7d6c7266739b07694d6527b51634d297c406044a2abf720806b125a51bdeda3dc3bc5559217468fca9f4bc095ac873783c565fc5a7bdd749e359cb80ba9e6c9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51a7aae390ddc332d830ae36e689d815

SHA1
44057a2c2c92ee7f8ef78c78048bde23d80e4eed

SHA256
de4f0e4dcb7e1fdc626a370f0cde44216682a3281805c440564cc279145d6149

SHA512
58d08a5d86e2f957a2dae0c131557e61a4462a33f4bbc4c8f6fb41752697ef2cd328944f0215e9a6c445b73f8f1e4e529c3cc92f88c21069f49da6c9db971ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34adf5acb507c993a1a6e25c1bccd314

SHA1
d74079b5c08865d1a133026310d82fd89141b7eb

SHA256
3d2ccfea4baab067a3b4a54486c1b20f9cb6dcc2d9bdd59cce382aec5cbd9820

SHA512
a836d88165f2976a0b9d7bfc970e0411a346f2579fdc95f66544fb1cbf3b199935c4ec5807a61080c5091c81dfc007ba5494acef4ff9304063233720f2b6558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379b4ce02a6d5c91e043d2b157e42ac8

SHA1
171e8e07438e7122b543f6837d184fe3533905e0

SHA256
217d19d63c6655fdd209e0d0da6dd4dceb79bc73e7bacccc78d491bfe020b46d

SHA512
3da73710d612e449fbdb5a6a9de3bf34d1e0dc72e14e837fc9a5bd322d7305f8383a0c44a79bc6e7a78ea29c32555878643e3803d7d29f6a0db863d365de029f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79b30d3a47d3fa71ff7b8cf754913808

SHA1
5a0246a0a5be6c38e43985d495870e65c848e0bd

SHA256
5c8bd8ea9a90ae6b86b547849565607c64624860f3606f7bf69094e88a333f5c

SHA512
50d20a0f3703926f9f838f6932e5dc70ec0788742110e20f4b90f8954656b1054c37d3e7c229e36de1ac3612c179e76b830e92b1b768552b4d21ebeb1887ff8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bf76eb8aa47f1de6fbf9d5144bac75d

SHA1
2b7a0a826c6716e566001eec9b95b925b6727f2c

SHA256
3cf13da1fa5acd8d258246ba785c59a30e0235449716122243630955d13eaea0

SHA512
a9a920c780a60efd5f345ef58fa9bc925c2158ac4c85a0d815256cd3fb269e4bebb3f910fa8c55990342ebd875e4e40ca3e9375fd5a51c2de503a6c803baff32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f375f170800d203b74db1d28a0e17ed8

SHA1
ba44aed0d6ec6e0e3438b365c358a60d574fe94a

SHA256
ad09c53cc211e627de2398cf9beddc512d98bd33716637bb71deae4fc6411b98

SHA512
ea0fb439a9e84e3ad64c4cee59cf132c8d226b592b8b1e1579c4fab5f809d4058e0606c948bc5cf658088dbd53f445eb70098a99c1ffcd71b3e832f560b9b032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9529c659472a0444b3aeeca09964b4e5

SHA1
0618ba2f6e1a782bd4ce0d5b2d62968a37bb0156

SHA256
c28d8e7dfc7a717f8d10e7a639b956a01a0c3161676c6503324bae7edab76a0f

SHA512
a4d7d3aa21b2095652fddc00847926eed69ab5b57198cf24b10adb1b37c969a05c08e5638ffda598294a80f13cd9888d0ae902c97de8a03cf44ac54f3010e2fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0753309f7ab0f587c037c2c39f58841b

SHA1
cc7343088fbe46250f273a9e4e8673e55716b373

SHA256
9e2fe8874ae9fbf265be62917f97c3e5399b678bcf9878e51713ec17dff59578

SHA512
6d2fc38a7a56d98bfac22b4dde6f1f8a33c945eb94b1d308873bd4abb0f47e1c738f52a2dfbe169b54714a6b421706621b2778de0ecb29f7900f1f6abda96870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47a343b376aaa9176e8d6908d521d72f

SHA1
a1e27d1f5b5b11673ba3b99273541b3cc55812c4

SHA256
5bfcbe2329a1e10ea050e04594ba987f9d7dfd9cd2961f9c0adedacf55c0816b

SHA512
61f9b05637e299e4495687627b2983ce78e36c2fd5b3764a454a7a85422e808761234bee9df1e7466c74f2fb11b327d3b5e4e47b4e1e438c2f4b98fb2629298b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac0e2d54c24b1dca8e8b29390eedf5a0

SHA1
a21527e8a5e337a95541a073c78640353ffd0563

SHA256
d0a4cffd151bbd0f115214833f12d6dd573630108c0cd3e737bcaae4e2e97130

SHA512
4ef47a82d1ae31ab16a556d83d2fb6cde9ff2e6d26eb3a94412acb0c5fe38c32529741ef12018fa32bf157926b42987a1ede4269288b33f87bb7fc5b5b5caeb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a54ffc746c12f7e9e3f66c5ba912cd0

SHA1
b9909b4dd9893bf03544eb867380254a9482a13b

SHA256
d047aca9f12037f18e95afda9bed3344d6e19ce054d39919d38908e45437e31f

SHA512
8460635fab793b9ef9c55de247412a423c82c3d89455d3c969a4a6a66cd9ca63e41005bbd21d01a65c9fad6ad82789d3ec7723d44a1ab4a5410d4c05f236562f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02e51a2959ee00f91dbcdf659c7db586

SHA1
e9475ed4fa28c2b7fbddb4027fb2fc74c66866ab

SHA256
2224637bd84627ebb19ef6c4a4d9a837d4315398e01b4f3545409f616c8c7f66

SHA512
578ea7d8cb534ce5490b4fb31b79670b10ad059f8ed0e1986508672614f1cb04807d334b73aef638f4797869ac1e49273cee12cc6f41b990b671d98158fa9ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c82e5baf3cd8cc1a772df6b10db0e043

SHA1
bbeb734f8f6c5b4cacf989451a94985c0237f437

SHA256
27d773f28de82df86032c31ce701447482ea45a883296bbe2b79e49f0e9d9c34

SHA512
1bf958bbc3a099a1bc222eb5fdc552563ed1c2b2fa28b42e75f13aa74d7233ad3bc1a6c8d68900ad3c4185dc5aef6009d42d53879a1b6823cfa8b9582f8eff22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef275c9ede477e7b12a0799d00805be

SHA1
d1d39f4b79f78868953d34038da21a4347b8a564

SHA256
3d6db1b1a23c84b0f1a29f5d9ce3a3a1528aa1504a5fda9fba9ad596cc81e782

SHA512
dea625c86ce062e4310def3a283a493fc6142165217bb4d400f28a5be054c446c67da36b9791f2bc03f405c4bf73a103f3c438124d8ba738483002f8ca56f68b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fe60f74f478e9f59675d0013713a39b

SHA1
84bb04683dc717d79e8ab08d3e10e1cd60dd1ace

SHA256
446b90821c197aa960451573be26569943a2770d967cf4f857bd2221ef682abb

SHA512
a78bc9d140ae9cc94838cdcfed2dec798eb1b1c8d0572061ec81caab42cfcab139a949e29b742bc75bbb65cd353bd5d550bdb40bc5275bece42f57185878239a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25066c1cd78a86d9b1a484f27f627797

SHA1
d75389aa3d36a52dcf0c70b97b331c56e33061c5

SHA256
0aa38fb48273ab330c474100667f3bd1afbfd32e196b1640240c4f71175d953e

SHA512
2b8bbe0eb57740d0ad42d173694551b4faf6db9f716e7ebbaf1382fe9cd7960a269240e514f3eb1d8ef34d198cfd4318efa8883762b17d6d56644095ae9581d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6ffd1e43fbc4beb08bc05cb918940eb

SHA1
5cd5b2954c7ff3954b86f984d1f0d642d598d375

SHA256
b4a6b2e0bcc07842f8fcad4e40c823b37fe094b3d2d019c4ba15dcbcd8a8d576

SHA512
36a4fecd76067066651576d43eadb1dee4f860f431538c33e5587b495f77fd0c33c6a62de2a853f7253f28ebec05103dcf4942fd90ded4b548ef99ecebac32f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd211d4c913154382a658583c2f654e

SHA1
94e9e74eeaba6bc0e62b116ccad9e2c5f855bede

SHA256
80a24d7341743bca96a64e1510a6a0b794d8bb600e65962922407e3ebfc56b0b

SHA512
61366b592c3c0442d9b54aacc292d5dab98729c07c8965ee391973a07e79d9ebc801f38a690a1bb3b2b56d54da9f94fce54f61225192990eaec2b27d384f88d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2a8eca90383a976ee8ba20f1aa7c950

SHA1
0b738a1b0de2a77190ceb0cc061200f8a3e8a09c

SHA256
4feb2c7c918587651c8953c1e7e0c4a2f65eda0841fa0b07a40af4f7623fcca4

SHA512
867f5982fe813580367847f20df4c4263f269f16b45a1151683241ba11acc63cfefb2e15beb1387eb7166e43735d338b2914f8ba18f4d001d2e133f50220b518

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbe9236007455f25beb803c9749f480f

SHA1
9590438db0ba66f15bb531e75a5de9947c3276ef

SHA256
d9dae48ac337b7298e91fece314f25dbaf9dd9b01d93734ef6084fbc3cb2b198

SHA512
7cdcb7d78974139f17c30507cbd720df78e0b7c0c850525364966b882080b49fd3584d4f2ccf1dbaa6cfe2539b1777f1831a34fb54465b9b7b370c4c96ea9765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd1e05ebf0b31e7afd66ee4c02aa5593

SHA1
a5bc2841da6b36990fb3f110c9a0e6ff182de79e

SHA256
a358386f60b0060e14009dd13f96c351f674e591b964ced8113c12e081c913bb

SHA512
98794d1b3724ec701804e83d7123ca402b63e7e1111bea4134099a4c534ec2237c508cd7a2b4d153f9ae9b96937ed73c46653cf561dbb7b89f0d2b3f77bad651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ed4120195afdf87c38ca312d4f94550

SHA1
7bbd168db33b66b99e9d7d3c0ea1a20eb87aaa1e

SHA256
adc8a4a9258581620c178226282f1cb6d4dd2971a3215ce772e8fb8f64b4a15c

SHA512
4f424abddf036976e84dc4ac527ee2cc960be5645557b7df0066c190c7905458aed0b37fc3e6eae952afc269cfd60a029d968d98674e3e8fb7b6986bc7f56bb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
69b6c064f2a8ce8647b352a62a760de5

SHA1
ac3fc666edbe1a1c381cae60f7dcbab3f43fb4fb

SHA256
eaa2e080558dc5e2bc9ef93a39954279f658ebb77e9346d217ac79aad8f7bf7f

SHA512
1f26cec16fce7188bb4f5f7f7eb94bd88da3498f5b673b8627bec5174bff2c59ef450af8794d1f13e6498cc0a88db774c6ee764340c43578bc5b81a67cd5602e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFD74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFEBE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/1184-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-130-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1212-147-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1212-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-134-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2776-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2776-7-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2776-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-18-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2956-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download