ramnit | e2862209cdea0127320e1ddc8c571f47efbc3098435b260f071f97ddec52e1e4

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2db90642d58af7db35d1cc71e277e70_JaffaCakes118.html
Size

2.3MB
MD5

e2db90642d58af7db35d1cc71e277e70
SHA1

a452668e4512cb41d8387df17ce6b46848422749
SHA256

e2862209cdea0127320e1ddc8c571f47efbc3098435b260f071f97ddec52e1e4
SHA512

8f0fcce753de0a50777176461a7cc6368eb14e8d217b82f2e4cb7b565ec3e33ddec85f6f32522cf8f250bbc300c4d4ecd30b4dee92208e1c8d4bc06177cae1a4
SSDEEP

24576:h+Wt9BJ+Wt9Bq+Wt9BU+Wt9Bv+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+W2:r

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 27 IoCs

pid	Process
2984	svchost.exe
1856	DesktopLayer.exe
2468	FP_AX_CAB_INSTALLER64.exe
972	svchost.exe
1868	DesktopLayer.exe
1312	svchost.exe
1660	DesktopLayer.exe
1784	svchost.exe
840	DesktopLayer.exe
2100	svchost.exe
2640	svchost.exe
1564	DesktopLayer.exe
2928	svchost.exe
2216	DesktopLayer.exe
2228	svchost.exe
1740	svchost.exe
2296	DesktopLayer.exe
1260	svchost.exe
2656	DesktopLayer.exe
3024	FP_AX_CAB_INSTALLER64.exe
2456	svchost.exe
1900	svchost.exe
1768	DesktopLayer.exe
1868	svchost.exe
2132	DesktopLayer.exe
3568	svchost.exe
3592	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
3060	IEXPLORE.EXE
2984	svchost.exe
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018703-2.dat	upx
behavioral1/memory/2984-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2984-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1856-17-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1856-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/972-126-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/972-127-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1312-137-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/840-151-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2640-172-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8160.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8372.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px30E0.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8A26.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8279.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8315.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8112.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8298.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8A93.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7687.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px82C7.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px81BD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83EF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8A17.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET80B4.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET80B4.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET89BA.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET89BA.tmp	IEXPLORE.EXE

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bec273874cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000d76367a7c24e941325aa0825fedc75b566eaa8aa9c4d7349683cbf08b6e639cf000000000e8000000002000020000000a8f6b9535a1780f8a75dab17ce6e19a8a429b81b542a8b1a30b94d20fa48e2d8900000009741dc52ffbc570eb090957a4d60c3d99f244647e7d28f6e912476f479c211288c2cf1c812a90a1d029af82625ea2102a10d1a18188852200385d48328df978fe60ad94402eb68bcf44fed860623cefad4c6746d17eefc2fc2cfe60b4d37dd77783f9201d88d2b836238a8ef1716b8017edaa15eb9c91a23beaa01905c529063e4a5e2f1200ba154a1456d182f7b50304000000069cc3419ce1e9f1b610ae20d3be3de04787a0f002b9075cf45ccdb57c0924765ec8667c50434a05fe212e8f880bc32181a6ca917bee10124a43615a8123c8b41	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB8A2121-B87A-11EF-9D96-D6B302822781} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1856	DesktopLayer.exe
1856	DesktopLayer.exe
1856	DesktopLayer.exe
1856	DesktopLayer.exe
2468	FP_AX_CAB_INSTALLER64.exe
1868	DesktopLayer.exe
1868	DesktopLayer.exe
1868	DesktopLayer.exe
1868	DesktopLayer.exe
1660	DesktopLayer.exe
1660	DesktopLayer.exe
1660	DesktopLayer.exe
1660	DesktopLayer.exe
840	DesktopLayer.exe
840	DesktopLayer.exe
840	DesktopLayer.exe
840	DesktopLayer.exe
1564	DesktopLayer.exe
1564	DesktopLayer.exe
1564	DesktopLayer.exe
1564	DesktopLayer.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2216	DesktopLayer.exe
2216	DesktopLayer.exe
2216	DesktopLayer.exe
2216	DesktopLayer.exe
2296	DesktopLayer.exe
2296	DesktopLayer.exe
2296	DesktopLayer.exe
2296	DesktopLayer.exe
2656	DesktopLayer.exe
2656	DesktopLayer.exe
2656	DesktopLayer.exe
2656	DesktopLayer.exe
3024	FP_AX_CAB_INSTALLER64.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1768	DesktopLayer.exe
1768	DesktopLayer.exe
1768	DesktopLayer.exe
1768	DesktopLayer.exe
2132	DesktopLayer.exe
2132	DesktopLayer.exe
2132	DesktopLayer.exe
2132	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe
3592	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3060	IEXPLORE.EXE
Token: SeRestorePrivilege	3060	IEXPLORE.EXE
Token: SeRestorePrivilege	3060	IEXPLORE.EXE
Token: SeRestorePrivilege	3060	IEXPLORE.EXE
Token: SeRestorePrivilege	3060	IEXPLORE.EXE
Token: SeRestorePrivilege	3060	IEXPLORE.EXE
Token: SeRestorePrivilege	3060	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1704	iexplore.exe
2232	iexplore.exe
2408	iexplore.exe
1600	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1600	iexplore.exe
1600	iexplore.exe
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
1600	iexplore.exe
1600	iexplore.exe
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE
1600	iexplore.exe
1600	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1704	iexplore.exe
1704	iexplore.exe
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3060	1600	iexplore.exe	30
PID 1600 wrote to memory of 3060	1600	iexplore.exe	30
PID 1600 wrote to memory of 3060	1600	iexplore.exe	30
PID 1600 wrote to memory of 3060	1600	iexplore.exe	30
PID 3060 wrote to memory of 2984	3060	IEXPLORE.EXE	31
PID 3060 wrote to memory of 2984	3060	IEXPLORE.EXE	31
PID 3060 wrote to memory of 2984	3060	IEXPLORE.EXE	31
PID 3060 wrote to memory of 2984	3060	IEXPLORE.EXE	31
PID 2984 wrote to memory of 1856	2984	svchost.exe	32
PID 2984 wrote to memory of 1856	2984	svchost.exe	32
PID 2984 wrote to memory of 1856	2984	svchost.exe	32
PID 2984 wrote to memory of 1856	2984	svchost.exe	32
PID 1856 wrote to memory of 2364	1856	DesktopLayer.exe	33
PID 1856 wrote to memory of 2364	1856	DesktopLayer.exe	33
PID 1856 wrote to memory of 2364	1856	DesktopLayer.exe	33
PID 1856 wrote to memory of 2364	1856	DesktopLayer.exe	33
PID 1600 wrote to memory of 2260	1600	iexplore.exe	34
PID 1600 wrote to memory of 2260	1600	iexplore.exe	34
PID 1600 wrote to memory of 2260	1600	iexplore.exe	34
PID 1600 wrote to memory of 2260	1600	iexplore.exe	34
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 3060 wrote to memory of 2468	3060	IEXPLORE.EXE	35
PID 2468 wrote to memory of 2232	2468	FP_AX_CAB_INSTALLER64.exe	71
PID 2468 wrote to memory of 2232	2468	FP_AX_CAB_INSTALLER64.exe	71
PID 2468 wrote to memory of 2232	2468	FP_AX_CAB_INSTALLER64.exe	71
PID 2468 wrote to memory of 2232	2468	FP_AX_CAB_INSTALLER64.exe	71
PID 1600 wrote to memory of 1620	1600	iexplore.exe	37
PID 1600 wrote to memory of 1620	1600	iexplore.exe	37
PID 1600 wrote to memory of 1620	1600	iexplore.exe	37
PID 1600 wrote to memory of 1620	1600	iexplore.exe	37
PID 3060 wrote to memory of 972	3060	IEXPLORE.EXE	39
PID 3060 wrote to memory of 972	3060	IEXPLORE.EXE	39
PID 3060 wrote to memory of 972	3060	IEXPLORE.EXE	39
PID 3060 wrote to memory of 972	3060	IEXPLORE.EXE	39
PID 972 wrote to memory of 1868	972	svchost.exe	72
PID 972 wrote to memory of 1868	972	svchost.exe	72
PID 972 wrote to memory of 1868	972	svchost.exe	72
PID 972 wrote to memory of 1868	972	svchost.exe	72
PID 3060 wrote to memory of 1312	3060	IEXPLORE.EXE	40
PID 3060 wrote to memory of 1312	3060	IEXPLORE.EXE	40
PID 3060 wrote to memory of 1312	3060	IEXPLORE.EXE	40
PID 3060 wrote to memory of 1312	3060	IEXPLORE.EXE	40
PID 1868 wrote to memory of 1628	1868	DesktopLayer.exe	42
PID 1868 wrote to memory of 1628	1868	DesktopLayer.exe	42
PID 1868 wrote to memory of 1628	1868	DesktopLayer.exe	42
PID 1868 wrote to memory of 1628	1868	DesktopLayer.exe	42
PID 1312 wrote to memory of 1660	1312	svchost.exe	43
PID 1312 wrote to memory of 1660	1312	svchost.exe	43
PID 1312 wrote to memory of 1660	1312	svchost.exe	43
PID 1312 wrote to memory of 1660	1312	svchost.exe	43
PID 1660 wrote to memory of 836	1660	DesktopLayer.exe	44
PID 1660 wrote to memory of 836	1660	DesktopLayer.exe	44
PID 1660 wrote to memory of 836	1660	DesktopLayer.exe	44
PID 1660 wrote to memory of 836	1660	DesktopLayer.exe	44
PID 3060 wrote to memory of 1784	3060	IEXPLORE.EXE	45
PID 3060 wrote to memory of 1784	3060	IEXPLORE.EXE	45
PID 3060 wrote to memory of 1784	3060	IEXPLORE.EXE	45
PID 3060 wrote to memory of 1784	3060	IEXPLORE.EXE	45
PID 1600 wrote to memory of 1268	1600	iexplore.exe	46

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\e2db90642d58af7db35d1cc71e277e70_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2364
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2232
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1628
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:836
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1784
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1736
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2100
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1564
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2696
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2928
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2960
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2140
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1740
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2296
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2812
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1260
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2240
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2248
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1768
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:840
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      PID:2232
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2240
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1868
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2132
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        
        PID:2408
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3124
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3568
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:209930 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:209938 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275472 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1268
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:799750 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:1389579 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:209948 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:930843 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0e04a144e0fb3e344145fc1036ca1461

SHA1
737c54e0de55de1256a7b3e192e6db3caf4dbef3

SHA256
6357c88978f723a3a2a8c0c1c8fe259140179f99ff9258c4034684ebe28e3481

SHA512
f3e23bc99c664e1f4b3dfaef04228bff221fc90faca13678a290df0c541f7f3e899162d39aa0e8391e0c1ec6e0fe34ac5b2b6261c27288fa620a4d23b6084d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b6fdfae4c4b1d5cd8a6594923dba36

SHA1
f7cad3a436df957e00e2ac8d5fe8597e8bb86b8d

SHA256
e8305a2aa1c7ca6030052a0a639fd22e6503f8fda488bfd298af8a6cb56d4132

SHA512
f1458a386c8363351b9813f617bf8e00cdbce8edf6fba61a6edbd5a80c89bd2e9ea4e057d61cb98aed844c7b28595a9d0858e2f7390986e492a1fc4753ee34a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
806e513b8436b66bb3e6bde60c299dfa

SHA1
8ee64553ceb5c4b7d0a2506d892426c36aa0b11c

SHA256
c3be3ffee599b47426628e7e42c11cb7a5da12e6a55fff42140df22e175296e9

SHA512
f0478d67e239c712d6aade5fae9f7e01a32a88b667f8c39f64c927527f2e4583f85b6de89c77ac3659557505fb621c20277e051fe688db387605cf6e37dccba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d2de7b71feb08278402d7feb420cf0c

SHA1
f734332da319da49e10c71557118a713e3579945

SHA256
f308e6487aaeafb96b181bef7186a40de754619ddd0c8461db5c1e4edcbd9024

SHA512
65f650d440700177c500360476590f9ff4f0037437bcdb2fe3e50d9483041e6ce672a688c81bf52cb6edc31f7dfface73986ae8195e5b4f60001fb04f174dd7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f632ada478bf7cc83f44bbe33beee81

SHA1
247e0a7e0f94f0dda5b429aedcb19fc49c56746d

SHA256
ef8e133c5dd125fbe65cad01a2f0e5675a6e8a954226d0eabb111b9dfe430411

SHA512
71e59094304459b0cce82801281e2724412c47511b6393eaa80821858164fea5eb45078eb19eb0c60ef08ba4547ec5d61541dcdafc5d84ce697132235662309f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c8d0b9a58e0b5172a0551c8c96e7f5a

SHA1
175ce43eec0a529d447480cd8a46f0471c8bb7f4

SHA256
14ec1160fe2797967e9272f5f04ff328616d726dea67897667c5c4cfcef8750b

SHA512
14612e56b23da7f1a3dccd77c5dafa9f93b8176e4a9637141dd4ad329c702b03e5ab64bf4d357160f2623f026cc3f7fd5f555f39dc82853750bbce5801f22ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f4263d980ba3437fe97af53e560e097

SHA1
cf11b877221ab80771a7afeb0e37d9daec2675e1

SHA256
8ddc2ea52e2c53a106f79ac3157cdbb77f85ef73def55b0a8e29bd77cf14f8dc

SHA512
f87d6f3e3d9c2197b234dd1d920e4fb341d36242a9f8c334655e00bf1569d77f511500e79973ff42a56f2633d9a7309d2562faade8da37ee0bb5ebe8b8b62b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236dbb49141a047ba6ff0c77737747eb

SHA1
677835297fc8227f44f2ee3b1b2900c2465e24c7

SHA256
ef485ad75a2e7559ba7b8ce85019a85dcf8a681f9af601dbc9f3dc179ec0f495

SHA512
63b5b58e759ef26509b277efecbdb7a3be78e416d25500a655806e995c167ba7711b11a5f6d714adc42ff6b369c64ef618ff553cd8e0d41a767849d560c49756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19a31d403d0f4da91dfd8039a223c99c

SHA1
87c88ac66f23b34af8a530597816700339ae876a

SHA256
dec4e424df3847e50087be34bd9740dfa27238c10b9cf3861fadde09b9bed9cc

SHA512
5ac320045f03061279c93577d438bd3710b2312d0035acc1318ddb92500e3b5acb772549ba5f82bf0c071b6ccf31a7475ca6664f8f69903d0d2e19f5ced40861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
091b93014e76a5f2b69cac04083d33b1

SHA1
4676ccd8cb7c9c2dc81a7b39e28f8dff9b997448

SHA256
2d789b119be486fc5c9c5bda9f2fb0cc38e33ff4855596ac1d0eab5b0a98e3ba

SHA512
68732996654f769b51ab640eaecb6b8833abdd7cb10fe39602c46ecebb446d86c8b03bf7b79f97dd28da9db2a9c2f48645d008d0a7d3b9c5bb61443200cbc98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e3be87e832eaaa753430c358c7338e5

SHA1
c2eb83ac4cd012171428692077be4c7ee7fe9a21

SHA256
f77d75a7b180a996ee39cb4afd142343c209b93f64efc430004d924709add48c

SHA512
28780dd75acc261a424aefd576607e2d7e5e930a23fa9bfd17ef2dd12db8a3d48ee440ec973995b5aadbb0dce8cb12e68c10edd0fb9b2f155ff28873617aaede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16e65558c01831c334515f0a790e62d1

SHA1
cb3d87adf2ddfc0bd848fe2c2d970cc6e43206c2

SHA256
888ab0da7cd3ee6f4d1a2376146359d2eea7510f95380d2fb36d72296c080c3a

SHA512
755f17ecc0e9d2432f3d8bf28b2a140791e115cda78f37296c04900b160e7300a385c17bcf302c01d4a96ff5e61071a2a32d47b439d730e487b40359ad1bcb85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0b351175bc1a9851b9b98d45a7a4f4b

SHA1
98823b674b132037533eca9681fa8cc9704993fc

SHA256
82ebad9531683d0081a1592dd88fcf89e51dfafe8639766ad682404cc12baded

SHA512
0fc3b60cd56488d84647aacb772d023099aa019f6101078cdabd6b9901d2a644cef8ed37345d9d953912e69f8d3d72ccbc81fe0e908f92d16a56a154ea5921c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb62a60a02a87288f86ac9b3ad59f416

SHA1
720e2f25d75d1b4321f727e70c2533fa997f760a

SHA256
5d23a45a961725db1b668c2a8e7cd98caf83207853b5d3f4b61129101fae5e97

SHA512
1dcd5b9b7237ada13f5bb5151d6d4936a009df99d12141e18343288842a426f32bba08e7c38fdb152eb8d09e921a69a6bc898af1006da06049b5f1dcefbd22bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5535004d38056754bd89924207e8e7cc

SHA1
b41c8222cc91b574ed22079020627949ef141b12

SHA256
cbdea06fa114e96cfc460ccfdaf9fe013e9bdfaafc4f79c2562b55a5b0a4b038

SHA512
f9805f59a5008576024d98012455b799119f122937dfcdf1643703b7a9692faa4ec5803ec2eecf3c403d0b05169c7c7f9dc57effad2ad813aed5b776f3931083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebf31e0cf61c6c5bd8ed7cc6a3ebb106

SHA1
91ec7184d617adad25a1a3e2a908af462920a7f2

SHA256
7713ac20db242f83be2f212061b196de60310fcb88d9d356fe9c72e8f021a7dd

SHA512
7da1b338f6e559004d3453727264e36a33031ff26c0d000e7df2e086d0ff76deb63e78a7cfe3c7957af282bcbc0bf51da611d76db8fb02cd6fade4ff8961c3ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dae1765dbc11ba0b9165e65617d9e4f3

SHA1
6d9239e9ec7e13b06685720dc141cf914fab6df6

SHA256
d4e0c00dbd97a34c188ccfefb46166b728f53aa616e09eef2f33b40d3f8e333d

SHA512
031ee6c3c201734832728e31e781b1aeff6034b1c8ad5aa99078edd20f5a7005022396797aa004075af65e229fb398e573ca4b30f67cf30f27cfc23da572a798

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbfbf088c5c7ad69424bbd8c57be9e9a

SHA1
3969449744a40969f6618f08d5e81c00881dad07

SHA256
8a2550ebcbad9f7af0280bb23ba0cba2720fdd24e35631a13a36772dbe1c9632

SHA512
03def5e55e6ed0ca9d6909e3977f6d452dd6b191223a9b96e36965e7eef1e7f5a242417017c9a8395c85098f52005b4af8c5c23a8eea9c44b44892c82c0489c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38a8769fd884b413032deb7fea042bf4

SHA1
617d19c130ed124d1510cd90dd6fd09b8fb9bd1a

SHA256
3912768abbfcc0526661b025fc82e4ec08729daaf6665b40e65f19236a56cb0f

SHA512
19f5f5c38aff4ff86a2f1c3ff72b8ff8c2e74080696070f33b4731f4406bde635c32d515b2c9799c1426f0184094df06a8f56ff061ecf403d03b0817c478eac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b65f4b3275c649ba74baf086b07fbae

SHA1
d49ccce2d8a4ed35288ceb771e7a68d12167751c

SHA256
119a0bd270c683d9b034d5221579b3ca22f2da7042d842f8f735034463319806

SHA512
1dcaf8cec8a8004e505902f25522f7a6512fd33968dd8c6fd8ef24a4587b3f1ddb49a2497cb36559c57f6caf67ace7a99ab7ee86234d5b4b295db9eca151a632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b95d0a0671eb0857e4109943166394

SHA1
f6d1bcb1a1c8ebf51d59bd10c73484fa5c508fb6

SHA256
7d668e237eae88cd41955238ab9ac781da602a466a908175682fe480d978be41

SHA512
8b8cfb3b74e7b146e4658810ee8563e770c56df03abdccdce9a5833849993a867033862a150228b8f4971c0f7145429d36a5d35e71de4b64c256ea7261aaa991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3afbd33492d7c5c7a7ef4dfcf5a4c36b

SHA1
ccf7203def93d30afd75ba814cda1dadf0751948

SHA256
fb36ac7e8d7dace6402866f1d1efafa969a145510cf8aaca64a13aee2f837516

SHA512
b3ee5595cc9c5c89e40dec405ef35a4588d2173a8f29d37215230fee11e6730409f45600ce1f6f0f15809a5bbb79b8da8d17430b742d26c72fb944d4ff523d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98dafa4e76f93fdcdde5efa2efc8da89

SHA1
9a7e91da265ab58b9bdeb4627113c85ea3858400

SHA256
7e551b56db785eaed972e0154dbefe7b96d5085831c0d01a1601794c63b0f3f2

SHA512
0425eb04c4826572f8cdee4bc7bb8111bc82b614d24d8be5f5ea4fddffa95af3ecc88f527a8adabb3cce986ba7ebae07184e896c709c10b7725c81ca6e3a1802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15c8ce77f26507fa5fe44a36fa929bd7

SHA1
d9af49b9038286e91178a9eda4d19c79b787b771

SHA256
16cb339440733dd3b9e12285a432bd5a23779048e5031fc9200abb719891fa01

SHA512
99eacf6cdb0bd016cf0559247a7432f53dd957c940b5308656e6915ca7be768ba973a726399d3da38c5d34792772909e0b09025054625b10c28945cd6c9ec061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53606e3261849b36a9996add5a0a1005

SHA1
835bda3d764887215a818629e08ea932ecc1a741

SHA256
70eda73e029c81bb8df6fac82b7597b1dc9b164fe97a36ae998d29e4d12a9b86

SHA512
ddfd5bbef75ca3b3a1b4cea6c71f6e7a90c6ab0a6672c9b8767d3c28505348b2a44695d535e13fe09d1edfd08ad2a6decb6040f377eaeb586583ef202e76af54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
271ff64ee23e9f9890b344534dc05494

SHA1
004cfa47832757a1f1dd1c0daafa3ae8ed32c133

SHA256
f13ffbaf52342238b404f37a358c2ebd54fc3fedef206985321ba9efde757420

SHA512
348f1ebf19d4546de03a9b1503edbb6b51f26fe1821a88f0dee5c1d37e426b8357555dbdcb8410307b1088b059332e5acd79202a743f1f447935e8b9f2fa091f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4426cc4ecd2160db2c2e238e6b5bfbfb

SHA1
f31488044dfcaac5261449113602ffaa01619cf0

SHA256
6eb2925595504e0a8e7d2f40decbe2eff21041512695f99ae0e6e6f5bd850b6c

SHA512
b806f287cca18acd4ca31f594e310a82ccd8a673ddd2ad0bdad06a33619bf06d9b02dbe3cadd6ba32a0f0e3119666400166f89fb548927afbe9ad6d971658c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fffdcf19aa1f032c8b71fd2498e21006

SHA1
3f0d77789f057780e235c3d72326b0cefa3a324c

SHA256
90360846bd7e2ca9e68a8e5acb726119a428621d1143988d534eee4216a75fc9

SHA512
8af99f52083375c128d000cbb82a3580dbd5a91697d2b8e2d0bb0c398c923d8870412a90c4ba4e638d15c24cef4fafe9b57e1e053f1a88261b95bc2ed58bbc1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AB8A2121-B87A-11EF-9D96-D6B302822781}.dat

Filesize
5KB

MD5
aa50b1026b12d0d8aeade5c6b09ba188

SHA1
810c0ecb8a7c9742a5a0856303774263ebf8dfad

SHA256
969fea246d5f215d940103dcb02248b31d5f9df1efd5c6c2ff9dd851d0360d15

SHA512
4af59af29c352ece03540cf9630f3c9add268829bc58be19bcd2b63178e03123eac78864ffaffcb7ee05e98af6d9923890d61fe92b9d4051baad05974cdeb619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC8D9701-B87A-11EF-9D96-D6B302822781}.dat

Filesize
3KB

MD5
a643f5d17b25796398c7a4ebf78a7910

SHA1
907a512c52e20485f97aab939a82da87f6977bb8

SHA256
9604f6da35083b4b3cb8caadb0ef99571c937e52d7a04316e161076682c0ed6c

SHA512
139e0188fc382efa39eb7d816839c1cd56bf9cfa45ccee3f2e728929320f71d9384c716e05329d99c664963f8b8e804089b73c4ab0ae140da31ea167954227ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC8D9701-B87A-11EF-9D96-D6B302822781}.dat

Filesize
5KB

MD5
5709e8e609d45ce25fddf60263d700b3

SHA1
b4be6d856b0fc0160e0c0e32f811838515df753b

SHA256
92eab0c9afbbd725d7cf929fa1069a11ae3fa42c42214be1ded3964b174b5e77

SHA512
9b531a4fe453771c7e251c4d05e5e323ec0aa1a804df5edd5460a57e9d794eff265532a40369bbce6cb8600e38ba947c370ec71ae50cce024b6bdf4b25ff8614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7AAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7B8B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/840-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-153-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/972-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/972-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-143-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1856-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1856-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-708-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2296-209-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2640-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download