ramnit | 490ed9df3086c05d70ab333e6f7c6e27b1cfc93cd4138d4137b62275bb3293f9

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec69a16bdd2fd626bd60efc8741e0896_JaffaCakes118.html
Size

2.3MB
MD5

ec69a16bdd2fd626bd60efc8741e0896
SHA1

b08e3bcc7dc06983e680b29368a51d7eb0cdd314
SHA256

490ed9df3086c05d70ab333e6f7c6e27b1cfc93cd4138d4137b62275bb3293f9
SHA512

a8e12d8eb335f57d8b1342a5a6e5850acfecab8dabda0b3104ae40393d283c519830d90755029300d8206f576890339b1ae69679694dfc0485787c04ee0712ab
SSDEEP

24576:P+Wt9BJ+Wt9Bq+Wt9BU+Wt9B8+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+Wy:g

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 25 IoCs

pid	Process
2480	svchost.exe
2920	DesktopLayer.exe
1620	FP_AX_CAB_INSTALLER64.exe
2020	svchost.exe
3000	svchost.exe
1764	svchost.exe
1544	DesktopLayer.exe
2808	svchost.exe
3068	DesktopLayer.exe
2968	svchost.exe
3016	DesktopLayer.exe
3044	svchost.exe
2140	svchost.exe
1312	svchost.exe
588	DesktopLayer.exe
1856	svchost.exe
764	DesktopLayer.exe
1720	FP_AX_CAB_INSTALLER64.exe
760	svchost.exe
1552	DesktopLayer.exe
1036	svchost.exe
1600	svchost.exe
2188	DesktopLayer.exe
3960	svchost.exe
4028	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
2596	IEXPLORE.EXE
2480	svchost.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d77-5.dat	upx
behavioral1/memory/2480-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2480-17-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2480-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2480-13-0x0000000000240000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2920-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2920-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2920-21-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3000-163-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2968-228-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/764-312-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1552-758-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9608.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAA82.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAAB1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAC46.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAC75.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5985.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAC08.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB2EB.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxACD3.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB358.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxACA4.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAA72.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxABAA.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB358.tmp	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\SETAA24.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETAA24.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETB29E.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETB29E.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305e334b7d4ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
1620	FP_AX_CAB_INSTALLER64.exe
3000	svchost.exe
3000	svchost.exe
3000	svchost.exe
3000	svchost.exe
1764	svchost.exe
1544	DesktopLayer.exe
1764	svchost.exe
1544	DesktopLayer.exe
1544	DesktopLayer.exe
1764	svchost.exe
1544	DesktopLayer.exe
1764	svchost.exe
3068	DesktopLayer.exe
3068	DesktopLayer.exe
3068	DesktopLayer.exe
3068	DesktopLayer.exe
3016	DesktopLayer.exe
3016	DesktopLayer.exe
3016	DesktopLayer.exe
3016	DesktopLayer.exe
3044	svchost.exe
3044	svchost.exe
3044	svchost.exe
3044	svchost.exe
588	DesktopLayer.exe
588	DesktopLayer.exe
1312	svchost.exe
1312	svchost.exe
588	DesktopLayer.exe
1312	svchost.exe
588	DesktopLayer.exe
1312	svchost.exe
764	DesktopLayer.exe
764	DesktopLayer.exe
764	DesktopLayer.exe
764	DesktopLayer.exe
1720	FP_AX_CAB_INSTALLER64.exe
1552	DesktopLayer.exe
1552	DesktopLayer.exe
1552	DesktopLayer.exe
1552	DesktopLayer.exe
1600	svchost.exe
1600	svchost.exe
1600	svchost.exe
1600	svchost.exe
2188	DesktopLayer.exe
2188	DesktopLayer.exe
2188	DesktopLayer.exe
2188	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe
4028	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2596	IEXPLORE.EXE
Token: SeRestorePrivilege	2596	IEXPLORE.EXE
Token: SeRestorePrivilege	2596	IEXPLORE.EXE
Token: SeRestorePrivilege	2596	IEXPLORE.EXE
Token: SeRestorePrivilege	2596	IEXPLORE.EXE
Token: SeRestorePrivilege	2596	IEXPLORE.EXE
Token: SeRestorePrivilege	2596	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
1284	iexplore.exe
2420	iexplore.exe
2664	iexplore.exe
1944	iexplore.exe
2740	iexplore.exe
676	iexplore.exe
1932	iexplore.exe
2688	iexplore.exe
2588	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2588	iexplore.exe
2588	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2588	iexplore.exe
2588	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2588	iexplore.exe
2588	iexplore.exe
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
2588	iexplore.exe
528	IEXPLORE.EXE
528	IEXPLORE.EXE
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1284	iexplore.exe
1284	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
1944	iexplore.exe
2664	iexplore.exe
1944	iexplore.exe
2664	iexplore.exe
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2740	iexplore.exe
2740	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2596	2588	iexplore.exe	30
PID 2588 wrote to memory of 2596	2588	iexplore.exe	30
PID 2588 wrote to memory of 2596	2588	iexplore.exe	30
PID 2588 wrote to memory of 2596	2588	iexplore.exe	30
PID 2596 wrote to memory of 2480	2596	IEXPLORE.EXE	31
PID 2596 wrote to memory of 2480	2596	IEXPLORE.EXE	31
PID 2596 wrote to memory of 2480	2596	IEXPLORE.EXE	31
PID 2596 wrote to memory of 2480	2596	IEXPLORE.EXE	31
PID 2480 wrote to memory of 2920	2480	svchost.exe	32
PID 2480 wrote to memory of 2920	2480	svchost.exe	32
PID 2480 wrote to memory of 2920	2480	svchost.exe	32
PID 2480 wrote to memory of 2920	2480	svchost.exe	32
PID 2920 wrote to memory of 2944	2920	DesktopLayer.exe	33
PID 2920 wrote to memory of 2944	2920	DesktopLayer.exe	33
PID 2920 wrote to memory of 2944	2920	DesktopLayer.exe	33
PID 2920 wrote to memory of 2944	2920	DesktopLayer.exe	33
PID 2588 wrote to memory of 2796	2588	iexplore.exe	34
PID 2588 wrote to memory of 2796	2588	iexplore.exe	34
PID 2588 wrote to memory of 2796	2588	iexplore.exe	34
PID 2588 wrote to memory of 2796	2588	iexplore.exe	34
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 1620	2596	IEXPLORE.EXE	36
PID 1620 wrote to memory of 2404	1620	FP_AX_CAB_INSTALLER64.exe	37
PID 1620 wrote to memory of 2404	1620	FP_AX_CAB_INSTALLER64.exe	37
PID 1620 wrote to memory of 2404	1620	FP_AX_CAB_INSTALLER64.exe	37
PID 1620 wrote to memory of 2404	1620	FP_AX_CAB_INSTALLER64.exe	37
PID 2588 wrote to memory of 1496	2588	iexplore.exe	38
PID 2588 wrote to memory of 1496	2588	iexplore.exe	38
PID 2588 wrote to memory of 1496	2588	iexplore.exe	38
PID 2588 wrote to memory of 1496	2588	iexplore.exe	38
PID 2596 wrote to memory of 2020	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 2020	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 2020	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 2020	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 3000	2596	IEXPLORE.EXE	40
PID 2596 wrote to memory of 3000	2596	IEXPLORE.EXE	40
PID 2596 wrote to memory of 3000	2596	IEXPLORE.EXE	40
PID 2596 wrote to memory of 3000	2596	IEXPLORE.EXE	40
PID 2596 wrote to memory of 1764	2596	IEXPLORE.EXE	41
PID 2596 wrote to memory of 1764	2596	IEXPLORE.EXE	41
PID 2596 wrote to memory of 1764	2596	IEXPLORE.EXE	41
PID 2596 wrote to memory of 1764	2596	IEXPLORE.EXE	41
PID 2020 wrote to memory of 1544	2020	svchost.exe	42
PID 2020 wrote to memory of 1544	2020	svchost.exe	42
PID 2020 wrote to memory of 1544	2020	svchost.exe	42
PID 2020 wrote to memory of 1544	2020	svchost.exe	42
PID 3000 wrote to memory of 1328	3000	svchost.exe	43
PID 3000 wrote to memory of 1328	3000	svchost.exe	43
PID 3000 wrote to memory of 1328	3000	svchost.exe	43
PID 3000 wrote to memory of 1328	3000	svchost.exe	43
PID 1544 wrote to memory of 1048	1544	DesktopLayer.exe	44
PID 1544 wrote to memory of 1048	1544	DesktopLayer.exe	44
PID 1544 wrote to memory of 1048	1544	DesktopLayer.exe	44
PID 1544 wrote to memory of 1048	1544	DesktopLayer.exe	44
PID 1764 wrote to memory of 956	1764	svchost.exe	45
PID 1764 wrote to memory of 956	1764	svchost.exe	45
PID 1764 wrote to memory of 956	1764	svchost.exe	45
PID 1764 wrote to memory of 956	1764	svchost.exe	45
PID 2588 wrote to memory of 2268	2588	iexplore.exe	46

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ec69a16bdd2fd626bd60efc8741e0896_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2944
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1048
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2808
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3068
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1484
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2968
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3016
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2424
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3044
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2420
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2140
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:588
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1284
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1372
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1312
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1944
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1856
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:764
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2664
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2740
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:760
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        
        PID:1932
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:852
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1036
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2188
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        
        PID:676
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:676 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      PID:2688
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3960
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4028
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4044
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:209929 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:209934 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:4142087 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3552263 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3355655 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:528
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3617804 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6c0a8e2b1aee96c2770af9d09816109c

SHA1
e008230fbdfc0ba2e7cc5f7fbfda1418e7784fdc

SHA256
7d7f49f33cf3fcb682f447628d5f6b276a1a40347fc4990ff5cdeb9c1a3ec1e0

SHA512
7e3e906a5b3191434fc74c81384c20d4d93b7a4d431b22248fa1fe77c6934e809431608cc8d5dea84cb0ea46b4eaa723171337172c9dca0b6b1de0fe4f08ca6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b83fb9daea2a94ab75b9763a6374d906

SHA1
ea170ce61434b22dfdd36c640610f96ccf0f39cf

SHA256
4a0eb06c08ab7e12c070b9236d390c0fa21e08125451e499e9c72d25da8a6b6b

SHA512
b5ccf48eb03b6fa35bf5b53ffaed8135a217b5f1efd2d12f49e110a85569d95c9576f0c684490a7eed9beca202847440259dde7abca77f9869dfe0ff717281f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c4d8067df75d8e54159c70db6a030e7

SHA1
9d0adcf3192b655189fb3cf872e52b1f72110b39

SHA256
1577705ddc02b86a824ad8b10acdaef111e70b82605335bdc10c3a38678e5050

SHA512
ed1564ae9126e57e87841f8942187632b8793bd816aea988cc6ad647e5999addcd040e95deacf1dc2fae31d8e718150e073a880439744875d44090a717393fc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3b6ebf12c29ed188f5d9c0ba27edc4e

SHA1
4a9267b887e09e922987e9dd4beed31e1eecaa78

SHA256
c73ce7b5b4a09ecb16ceb9a06cd3b4dc992d63dde5de012fc1be930baaee37cf

SHA512
126f7f1899507fe4d1660f07df23c5afbb81ef9afc325e570b5f59fef5319dcc728b517844f1fce841ef4450fbaaab955683750ac2e89794875128587ae21aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8e259a634e23f775b00be36d7c0187b

SHA1
f66693e9faeb028a9bad2ed3f22c480095141746

SHA256
51357b17a97f72e6ac0d6836a3bf2ce1be3e3cc3adcd2873bd26cb4d1ae52362

SHA512
8062d77238b7e04ba88ffd6d0b270952b951abf16abd87a77f1314321e58d05701ede8f77499026a2d09232e84b4d4b35089d3eaaa26ce88ec71f7c56560e14d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cab5de205acfe8340207d6071a82d92

SHA1
36124f5c14a0471f57a7299f8f03347c3ae6d50e

SHA256
9aafa895f73b3a1dfe8485bffe652e5b50776c8ea15bc8a5cf54a226dab8385a

SHA512
95c5b50ee4ff72803288a27fe381cac02c72911dfd6643f71d7a05d6ce131db21dbb77f267079bd8cba331e02b39cbb74fcff7a76adb90611551aca39b957ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07d10568ac161c2dde09e51da39e5a2a

SHA1
14fc008332556e8e4b192725e3370b1d1068c6e3

SHA256
efcf08572fe68ed2c745a94b371cf7d9d44343dac874fce41bdd3bc44cc4998b

SHA512
3e0247b9a35df8ed49886a96247a229e493174f6f713dc202a088629154039bbe1942b2d7cf38c6a3d6ecd9d9457a77db54a15f52ddf4736d948d006e8fa393d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
078dd678ba2b94f6dd1dba41569ac7ad

SHA1
64c9ac53acc74bfe514b93191ff529ce75026b65

SHA256
01dd8c1ea68626ded598edd5f78b89a4e76d5942076b1b56bd0c34a9e39f625b

SHA512
ea2254f26b3113c75a81ca1b398432fa3da67dd6d2266788ecf5bb2e0130e21df6425807c799330afc9420a716b08db01b2fe2ab6760e12b1218f1bc253c42a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9de27d51334544176135f0496833dd3

SHA1
a014344d56cc9f40368516e412d111b1257f0f16

SHA256
576fc5bc97c24036f2d652ed4fa0cefd2061cc5da884a8f43fd4f8329281428b

SHA512
7251ad4bd921cdec9767e07048af1ebfff70739ca0d2a29e1dbcbd2a98934a5e60c228a321b4fc556703b1ae1972261913d9090c3d13ed69ff22883d71949be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8250cb02d648706cd2a4b0c38a058879

SHA1
f3616b127bbdf2d0124d334f557ef2d35c4c79e7

SHA256
805f0a869afca69c7cc87a03b9bffaf37948a5c25f80d4855a4a2c497e6bf5f7

SHA512
f2f9c4a38f2a3a43ee0835bee35a79a5b344cae4ab37c4bf4919084a4cad3f42e3cc00a9f2d32d575c3923854232af68dec155ae2162c629b1206065ed50c279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6b9f5989910ca5675984c94d999c1fb

SHA1
87f22403298bfdadc91078275ae6586f6c5bb754

SHA256
e8b443d1c42d021b17473e27804b9c1711e1c4bff58a7acf6937eb1d73ec6c48

SHA512
051511eafff8d8b8eb703dc53484b5058de50cfa53fc11851941cbc9a3f182f42fd8950dc8dfb0d53fdd612cc4709b3a23155f5c6dbcecd99492609ade10a008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1965196d55bbaa4f54561aed3c8dded4

SHA1
64ad5d38adca02ce91aa32eca4a8d0b061247a48

SHA256
39708066f882b9ce2777a28e1f362eb161e92f914ed5f9e424253f5547d7bd90

SHA512
c0a88ffe74f656ad9d986fc1390e17689ee4f0f8a46699aed803038e351285aa1fe4c4a2562d9e035e8d1c5a7316345462d11c87127ea4bdf37c9de490881956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
725fe88c42cc215b523703da85aa9603

SHA1
777c3604b7e012260a73354abd7f410206f77a6e

SHA256
a754a28ad33374d4bd3b21977f6d7825d2611102e9f74022037eccce818d2a92

SHA512
6cc7eadc75528b639d6ce0944b509434adae5f84c57ad955085a7a11cdd274ed09c3ab846b4df65e2965fc0d15d227229b5b2ffb8575f14f1cd4358f3ef6a74f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52ae5f84e4a44ca1f954821875de9a2e

SHA1
f824b124a52da8a3229d15c013a7e69897ca7109

SHA256
6ec2c9362a7923dd9914a9e8acae97318d767d71863a68d58043f77cb7e7e13d

SHA512
41960bca5173787e2cc1652867b664b3c4e89ec32ee2e433c32335cd85a3e7b39ed89a571a362e57b2d0d8a51dda2ca14b06e41dedff7fc7fb56a99c1e7d5aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbe9b3b11f6e294a7af8777fc8a3e5bd

SHA1
9332fce144e7f53e2c48fd17801f82a04722697c

SHA256
59cd1e4f088b53583ec22600dbf219acd57c7b2909dc01478eabfc431c97cd17

SHA512
c2832dd742446695b3f8fb487c620a175c90e43863c1ccb70c50f21975c9af0bf0ddf8a4d91e33d3cb190391535069b760c485c6fc43aa81d93900e4a15c41a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8950e345f0a494514b4f8ea7e78e4f10

SHA1
8b4bfae01ac8f4ab08c3064a44bbd5270ee86b76

SHA256
e39cc9ae55e24295a78df16ae5e6c20cabee75761a351630081c00b87b407b1d

SHA512
d54b186dbbb992c6905a39d1dbf0a1be2bc04076deb2c1066e40f347e3f19556b4488e2df6e248358baeade5b6b683cfc640591103200a87c774df0f86497aa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5fbd801864541bc9e103a4604df19c1

SHA1
974226fe6824c894250421aa88b5d68b5f13035c

SHA256
499c395c34002b9fb122e5a1f935adc5b1b7d97f179863101ce953bcba9dd24f

SHA512
a4532d33888f5a3afb2e3136052754f410e604827b90c3e2f1472bc10a82c1d4f20e79cddd8c4058487d0c7f6e12b8cd208e3bc3b9a113e14186becc83550cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
528b0176f1074ce5eb3cffa23da02479

SHA1
7527d821d42baeaa34e0103087b4151279a9fa7d

SHA256
3a0abab3001c7e1e51fd16221601cb1c960c2c79f6f34469dc06d820d3d5b743

SHA512
f3ab73c072616e06e549494f0b88c361e13e7e4897145dafd3d0b657956d060ea940474b7d8f9018e20ea94f0ff39e14e80fa86c843460f0dafca66209e8b12b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b57b2e0ac4a58175a7aee379988bc0da

SHA1
58945011ada16a24540ad12ba9e51b8b2f50f68a

SHA256
bcf138d8c02826cb311657bb3622d669def48e14e47b4a8bfb564de2ca627b14

SHA512
2fe5cf65020bf040a0db689ed956859ed84466bac30796576e2f6fa4be7b9f536581442e25c49c3818d6e50e6403d3d35f535da5d1a7d2b772bf3e9e26849ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90cd3d51139faf5cb8f61777a41ddd3f

SHA1
577105aeb49194947e0c6d1eb967362258e9eeab

SHA256
23adfba1b2b59b5de8de7db669319f7574e6e8704fab03ae5fbb7e9650135fbe

SHA512
c6051e1d403c7a42c15deb4e3dfd16d4cfa38f9803f163a8de93ca5fc7fd715ab9b1e242a48bb3f0eb81cd4a5a96dcc9eba6111c601cbd30882c1de8016faef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
365571b9dc4b0e4dad5e251ceccbc8bf

SHA1
3699f8f9cd36bd94c4bd77f9fcc8a33ef401ea41

SHA256
615f13926f7fe45e0513e41fcef77012526745f8cd207f7a6947c8ff0ae13c1c

SHA512
5e10e639a0772b42e33028b247ef81db9db9b2b8ccedc120bc92c4888562d63b37154b199d1cd3ae25ccf8580a7907c8ea9302a50e4b8ec14b09bdbfb8e3f5d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9663951d9cfe480a96eef1bfe5a2919a

SHA1
4a4519bc58ee571f8391ca9d622c2df11021ab31

SHA256
37e08d5d80259c55147ce66c6436a4182a0ecbc049c4aab0a35cd6c5aabd8b58

SHA512
7aaa82910b47eec18983f2eedcdbb12986a66d944381692c0909aae8e55443f5e44f4a2445f101870e19b6220e276bf9a07f9e6e99064dec632566f7d68298ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1292345b4bbb04d04dbb49820bf71286

SHA1
f9aa360d36839aa09392727ecf761b7e37eadf09

SHA256
12ae06711de6fc3b25023a9102a0c97176efbee7eb6acf15fd5bfd346bd6a3b5

SHA512
6beb679769f35fb7be41b1556b297a03d05d94a3f69e1340319ce4c784ae2d0af4925fc18021419b61a40cffcd291a3af21fb14bd94291d819fc1b4c9f2bac22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49abb63d1df287aca6f5ef2465764e35

SHA1
5b74c463d6853d2d2337422e01b40984d0110753

SHA256
03df95c2fc8e693aa62c6427923fc42e095bfb660045f1fefc351b1f1772e7cd

SHA512
70233422a2f14c1441adacb4260ffe97a2893340b5f68769d5cba3355eed2fb6a7543443939c7c368d4f3aa3d41c1467871d2f66503adc182097d9e528bd5be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5d3c8e0f01e9af2283024dfe6149bdc

SHA1
d72bd83a44f348a4eb62e2efa4bd4aaf2c9133b0

SHA256
bf045050b4a62c7ff4713c3cd33b055badafef8519a1b54b81d76792e10aff93

SHA512
c964a0d9048449df7d2a40c3706e3c607bd9180bd54b493f96fff66a4aa98c512e390ae94a317194738f255dc77e3c59f1b55231995a9a93a4e7c6eaf233f300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8309a2b62073ac0fa841ac17c58cf476

SHA1
713771b2a1a853f13017bf31d13d1a479da02ef8

SHA256
640efd34b9e43fbd191af7ab9497f051586af56e8cbd7cc0351213cf3dd548ab

SHA512
58c8920dcaddceacbdcd5799f3b4197cbc0ef14e776ff8b533cac82b7cf23fb37aa5efd6deb498569cd1a1990cbfd2b8247b94e54c7fccdd119ba3f122bc3d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2038579af6a180de874dd6089d8e489

SHA1
8ca7c102dd280bafc39461cb005abee3a9c28283

SHA256
e970cdd0345963d20b97ea233ee930de4f0b15098909865cb79351d051dfe3b2

SHA512
73753b69df9e0d7a5396ba206010385a1a75b794686992a68b6ab75b78d78d2a5e5ada9007dd52f6654857c844e369c62e76d83a614daf1e5521faf7fe4b4421

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91b979734e5099439c85c70216a8fc2e

SHA1
4722e0f53d6a06fe3a0f7d92efae578a14619c91

SHA256
1644b72b6d1b7ed4c0fcc9c8652ef8ae73cc5c732420fe0615022bcac586a585

SHA512
28235f7a763bb86e6ef3c4267328c03659536402e4478aaa4bb206dd9e15b185a0820c7072fa7cd78a3e3f1944245cd13dbc3789fa42fb5cc29ea4e5452fe9fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26b3b0daf50555bb41dfd86210042a24

SHA1
432e3b858ba97d05f3e5a7d5b05a30007ddeb565

SHA256
e85524fefce0749808899a36eac732cc5edaa8b5310391b47d774e1211440b0d

SHA512
7faf2f28668e012610f0436dda3ad438b0c397bfa5c609ac653f2f1c4cce9c54d713794bbb9c10487639bf1d3e7b2b745dd4ea837c4747bc0b9c7cbf119ca6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b7c6adf2d25fdf6c2a48611845e6397

SHA1
c6189eb42e4d727e3706eabbce8da4d80f7f58c9

SHA256
1b262935c886bd1b639d2f46fc5c82dca590db7997806ab40de40f3b29aa1a9f

SHA512
62491176446941d5eb4e575335df94e63beb6ff753e2110677054581b87bf3665bc210c3a140f72d840b53eee18db74b5fd60fb75a98d284eaeed555012a6d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d634fee0748422af93ea231214d0ab5

SHA1
038e2e32a31f1145a874cb1fa75088a619e86961

SHA256
e02d6aaf7c14964027433d241d637a65608880156130e7aa24f9c101f58d7ec7

SHA512
fc14bef6a4f1eba26af6437225d476a1019dc80150bffb3ca9f5f476373315b6f378b9fa08846a6c3f928d903cd49d4674d61d6ee6c58ed57b08d2c0ad97a2c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea313f1447c47b83c7c0817bbf2d7b2a

SHA1
c45b67ffaa499e660d62f5f1b428ae99969c10c2

SHA256
d4bd2ac4720d5643162d23711dec4713e25638e566a3e65e2bf4dd2757c00f03

SHA512
b797b9c3d809421996f67dc8c43ab6119bd7dfc5f192bac7dbc5a9ddb347aa893571f1e18ae4c621c562a903bbae8e43fbcf00ebb161a8bf08760203c70dca09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be502c07f679faa41f9638b845a1886b

SHA1
0babdc65ae74535db4671608567ddd64e261182b

SHA256
2289543357b0e0145ff5f74e35fb62224c3c12e56047d84afb8674ee840ed5ee

SHA512
ce03174aa2e04df71024dcf746fd445b0a9cedfff2449bcbc4c3fe18c021a5612bb4fd13dfb5459176055500c0536f7ece548da67ac7c8ad18f3552d9b1a0e98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46044f65e865d8420129752e54c9603f

SHA1
fa46c98bbdf06472da0a0f6abcaa1e28bf0ad47c

SHA256
8becac867eb647bad50352f6688197afa247f1eeb4f6bdc3852919b49fb19f08

SHA512
83502b4bca1f8cfd3e2af8509ebc5367d535e18e0acb694ebc38380cf3b6a3398aacb494c67f233d2c1c5faeb0ef20eb0325593723c63e723597e0e629afbcb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c05db82ade212f7a06f0d82b956b6fec

SHA1
9caba5932ed0e98eb9d63374e362a86867f20336

SHA256
2ff43cc058712df249f80e31ac0c69b2935029f173b871c4dc2aa0c1c710a732

SHA512
a6f93cc452e7003c3ba107b0d62014f7b12e01b738a0c7f62969dbe26beef6f03b4268eb6ccb9c4f6f71b9cfb1eb1cad0c9e50b17120585986dee62cd1162e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01f7af8e7379026551441e8feddaee3e

SHA1
d6a4e4e2dbbcf733a68bcc1b7985f3d2b1bcb186

SHA256
e8da16da8f20afb65765417903bfddf31d8bc146a2d361c04d461a7664081779

SHA512
f3c4e4eee5a651e33ce1917f717bb45206c8e8c0021579d5ea3992a38c278427c8d360dc3de75b646b7d596b1d7c0efbddcbd77b59d28d7bd10109b1e536434a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2868af1ca919b6a71dbe493e9038738e

SHA1
8830aa19d33ecf3804868b4e8084b02a2940659e

SHA256
5c82d6b46d91a631fe78d6b9bb842edf49f2028e4f26f73dba1a61f51874a7f3

SHA512
ff4929c16bfce21edb4db2076072b71ed30bd1448a2be9ced1876916d7a452931ccda6805f9c2e6d87ea605f1b0bf166e61afcf6aa520cbd400f17e6258d3a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4e751798881654973035ce897e4f1ac

SHA1
4091073f529a1f1f3395b402085a98b9bb9b8335

SHA256
96acddcef9c249183bf20f89b63baf51dd1a83c71c046790ef3c80f8be10ba14

SHA512
5b69b63f1c27d59df2e5d3a9ef5964b3e6e4d1a04a4eb8be2a6d68d026e5bab9d0b20e3d788004bff2520ec7735ad65e75d4c6c52ede7976179a679b2c99d65c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66659c675d96ce60573ce088ab5cad51

SHA1
d1d9d07a5c11667e14a1221f4b010cb81c9d1cd9

SHA256
dbe995cfcb2f5174f3c95e141f354fb01e2f11daa29a183e88024c3d5f7792cc

SHA512
36fd9de27a2893db01b657da39b874941098a99bc58578fc875f78978e894996b61900c07ca3e06d9b777d88f533263c9376940285f97c5dbe02fb1f066c4f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9847bc69ea7ac74b16b1368e53df4e90

SHA1
1b109468260f21af8f6c543c5109cf685d64a09a

SHA256
3234dccf9f5ca0c66fa4c48ec82f02b0d9909b1b790fb71433e8a5382f5423d2

SHA512
1726ed0990df8be86b816819b310cfd2f0f07df774247660cdd09e1cf4f89760671fad0c2b601df0dfa1da6344538053c44f88c40bcfb51cc144b52716b29a13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb66e879e5a11cb11870dff14faae226

SHA1
c919cc3e86eaa85829a0b8716f914c3635d2ec7f

SHA256
ca342a3a76941d6ae427571be7dc418271d3c01520d4ea186027bf9d75ed3328

SHA512
28ba18903155e78ff092f0685ccc4632a0be744ab4a5dd3888f3844abe991386adb46626f21559b84cc0f30d2bcffc1e3562dad47c19163d5d6de3b261ab2a7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
65134b3d5ba62e53dd2131e3c72b3f31

SHA1
b0d9aeb4af9d52f81829209fbb01e5625978338e

SHA256
a9c490c0ea611ccea97d0040b24e58998005c573dd1ba6e2e13f3a2d23539dd7

SHA512
8e76ca9b69ebe91aea3f83d99f1b03b9ee738899a7e95f05a1f705bc855c40ed9ca8ad18b9c46ac3f79577448374af4919f0841ba1af79a07d1066b51bcecbb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8138FCB1-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
5KB

MD5
b68d00239bbbb6834f3d306a7f910542

SHA1
17f46edabfb1a273c121d0f90aec8795af579fa3

SHA256
b1bbf6efe1a23986c496da055cfac8bb83e75034c310038d303507d40ac1ffea

SHA512
03745df712bd66ff1a1b7caef487003de03c2f0de7e634bb17368deaefb3bceff2c7fcdbb30a5c334e29a6dd5e276c4aad20f69e770944e8f0d409761535a158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8149A651-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
5KB

MD5
8fbd9062c879727f01c3484da4d6443d

SHA1
82c1ac7a95fe80685beb523fe16c14da309b57d4

SHA256
660fd1b499bbf1efaac22235d5ef4c5c3c0c400c7e353fd03da82d5b8fcc0825

SHA512
2030e601e780fe14736753451ea23815d941b5add7bb58a1ca589aa738a81f415ecc20014851a8c099428f3d12c81264f4fb5beaf76c068d57b5005198e65b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{814C07B1-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
3KB

MD5
72e5e3ca0f03af76998d083c1ef9e740

SHA1
573db2e07288c3fc5deeee287c74dc048e677fbd

SHA256
effc0563f343b1b8fd55c349c1530e1d026d8caa8fc57c6eab285622fd5c89de

SHA512
74838854e5fd1fe9aac3e404f2935e440b575d9002c5f66c074672e7caab506e72d22d2c9b8f533223deefb5b9dffe84384d499d53c0cc00797107a507b98228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81F04691-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
3KB

MD5
384213eac8e010373045c1dbf3cbcf9a

SHA1
9024dd4e67d06ef6f6f7f4b99c98550279c0a4ca

SHA256
a83722d2d8debb0cdd69a8ff81253f299f96e725091f14b780144b85ec6c7ef7

SHA512
5e1b059994a7f42b5081089e542ffa9b53cc1b9cb537f918e3f5149810fb76ab1afc59aad7120f0c47bc0b464e4141403d59f67ca8a52de35b3589bebc1193fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81F04691-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
5KB

MD5
544928dcdfafc25db81b55c317f976ff

SHA1
0483dcd767cce12b23bc865aec96b871a9fab3fc

SHA256
31775ea63d7372f49ee8bfd99b66add917467af24f8c9e50701c88fe3b992e51

SHA512
808e2f7a994134326a26200e6764034fd50807ce865bc570952e52226ce96a63f90c315743bc5cf18852bca44d3bd4bdad5a16423750ab963eedc8c36e5e85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{824ABAD1-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
5KB

MD5
dd68daccbb907da9c05180e63092da04

SHA1
1a7a509a945ada01b47e0777dc2b5bc94cc7af80

SHA256
8e3906552825b5ca7d6b7fa54f4aadd19dd4eddb8807a1be384019ec482de247

SHA512
e98857773f0997c63a7dae7e895c61ec971f62413672bab2982e306315d6a0cd24c0fb5c2a43bc3ff1260feb8a72a8817270684a5845658a895cf6f02f526572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8251DEF1-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
5KB

MD5
cbef2953b3c6ccbe5df5d43b8a0d7f20

SHA1
7099ee5392f42dcbc90ce5227e939fdb60a10ce3

SHA256
1dd26e4ea1e73ece4b3cbef65bfc3aafce39a6b44481b2f4128ddde09f8d9a7a

SHA512
baca6017c3b8cfc19fc57d9b6ab36b80ce75dc6b2da5757ad32461deb1f6107958deba3b227dce55e966c966f78401d8c35fe4b4ab17e171a619f5225cd7f928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8256A1B1-B970-11EF-A160-DA2FFA21DAE1}.dat

Filesize
3KB

MD5
b0554cc6007723f56d3e6e0b3c2be026

SHA1
534a94d5db99cca70a530be9b2dca7e0d865caad

SHA256
184683b0324ea77932ab51387808e410915db889a2d553a84207675a2f728cb9

SHA512
062ec0e7c71008467c02ea982c185dbe50b86eda4028b074315a74ec4cd05ee765239aac5856eb2733427314090b6c7d94a9be1d68b98c429bb5715187edd51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA334.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA440.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
memory/764-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-758-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-7-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2480-13-0x0000000000240000-0x0000000000275000-memory.dmp

Filesize
212KB

Download
memory/2920-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-20-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2920-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-160-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3016-265-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download